Compromised websites

Discussion in 'ESET NOD32 Antivirus' started by danieln, Nov 30, 2011.

Thread Status:
Not open for further replies.
  1. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    We have noticed multiple websites are still compromised. The websites are running same malware which was inserted by hackers probably several month before in some cases.

    This is the example how the malicious code look like in the generated HTML output when you access the hacked site:
    infected.png

    It is a packed JavaScript code which is creating a hidden IFRAME to some free web page registered with malicious intention.
    iframe.png

    Addresses used by malware are at nl.ai, osa.pl, l2x.eu and others.
    The hackers uploaded a PHP backdoor to the compromised websites so they are able to control sites remotely, modifying the malware to avoid detection.

    The same malware has been discussed here:
    http://blog.unmaskparasites.com/2011/11/09/tmpwp_inc-or-not-your-typical-wordpress-attack/

    Malware writes do not need stolen FTP credentials to insert malware into the legitimate websites. Often it is enough for them to exploit a vulnerability in some server side application, it could be an older version of CMS or a third party plug-in.

    I'd like to ask the admins of compromised sites to report security incidents. Security vendors including ESET are interested to receive samples of undetected PHP malware to improve detection. Majority of free webhosting or free DNS providers are willing (at least) to takedown the malicious sites when they are reported. I believe they are trying to make it harder for malware writes to misuse their services and the process of identifying/reporting criminals to law enforcing agencies will be easier.

    Security vendors are continually improving the detection technologies but they are not going to win the war against malware and its creators if they fight alone.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    It would help to block scripting routinely in browser and only allow it for Trusted sites. If the trusted site is compromised then hopefully AV and other security measures are there to lessen or negate the impact
     
  3. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    I agree, using a browser extension to limit JavaScript is very effective in reducing the risk of being infected. Unfortunately an end user has to be trained how to use it and I think its usage may not be convenient for all of them.

    In the case somebody encounter a site detected as JS/TrojanDownloader.Iframe.NKI (ESET) or
    Trojan-Downloader.JS.Iframe.cow, Trojan-Downloader.JS.Iframe.cqa (Kaspersky),
    most probably the site has this kind of infection.
     
  4. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    as a web host, we find customer sites that get infected on a regular basis - mostly osCommerce 2.2 and older wordpress installations, but also Drupal and Joomla sites as well - these are almost always the sites that were thrown up and left alone - ie, not updated... the exploits are normally due to insecure plugins or extensions to the software...
     
  5. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Description of the malware from Sucuri LLC:
    http://sucuri.net/new-malware-evalfunctionpacked.html

    I was looking for info about this malware on other places too and I found another security blog with removal instructions. Unfortunately the very same blog is compromised by the very same malware.

    Time to time, you can read about comprised sites related with famous security programs. Since there were problems with sites of our distributors in the past, I am sure we will continue to focus on the problem in the future.
     
    Last edited: Dec 2, 2011
  6. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    When looking for infected files at the compromised server I recommend the admins to check the 404 error page which is often modified by hackers to load malicious code.
    The 404 error page is served by the HTTP server when client access non-existing file (a result of typo or the file was removed).

    Here is an example of hacked error page:
    404a.png
    The page looks normal but when you inspect the source you will notice the malicious JavaScript inserted between HEAD and BODY elements. The script attempts to load another script from obfuscated PHP backdoor located on another compromised website.
    404b.png
    This malware uses distributed approach and it was well described in the following blog:
    http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/

    It is good to look for the obfuscted PHP backdoors hidden at various locations. The most frequent filename for this malware is gifimg.php

    It is very old malware but today you can still encounter many websites with this type of very old infection.

    ESET detects the script from the screenshot as JS/TrojanDownloader.HackLoad.AG trojan.
     
Thread Status:
Not open for further replies.