Beruflich Dokumente
Kultur Dokumente
Calendar
Discussions
Polls
RSS feeds
Subscriptions
Contacts
Log in
Search
Watch us on
Threats
Analysis
Blog
Statistics
Descriptions
Glossary
Home Analysis 18 Sep 2012 This site may harm your computer. How to recognize and defeat website infections
This site may harm your computer. How to recognize and defeat website infections
Contents
Infection symptoms Attack vectors and techniques The cybercriminals goals Removal methods Website security basics Mass website infections are one of the biggest problems in contemporary IT security. The size of the problem is reflected, for example, in the amount of queries to our Technical Support concerning warnings about malicious websites. Website owners usually complain that our product incorrectly blocks access to their portal and it must be a false alarm as they do not host any malicious content. Unfortunately, in most cases they are wrong and malicious scripts can indeed be found within their websites - injected into the original PHP, JS or HTML code by attackers. These scripts usually redirect visitors to the website to malicious URLs from where malware is downloaded and executed on the victims computer. In most cases, the execution of malware is completely invisible to the user, who sees the website appearing to operate as usual. Malicious code exploits vulnerabilities in software running on the user's computer (like Java, Flash, PDF viewers, browser plugins, etc.) to silently install itself on an attacked machine. This method is called a drive-by download and has already been extensively described on Securelist. In the following article we would like to focus on information that may help website administrators identify and remove malware from their websites. What is happening? Infection symptoms. What to look for. Examples of malicious code. How did it happen? Attack vectors and techniques. What is the purpose of it? The cybercriminals goals. How to defeat website infection. Removal methods. How to prevent website infection. Website security basics.
Share Print
Author
Marta Janus
All analysis articles All blog postings
Analysis Kaspersky Security Bulletin 2009. Malware Evolution 2009 Browsing malicious websites The Cash Factory Drive-by Downloads. The Web Under Siege Malicious website evolution: January June 2007
Blog RunForestRun, gootkit and random domain name generation The end of DNS-Changer Who is attacking me? DNSChanger - Cleaning Up 4 Million Infected Hosts Two-pronged attack: Argentine site hit by malware and data leak
Infection symptoms
How do you know if your website has been infected? The best symptoms are the most obvious ones: users complain that the website is blocked by the browser and/or security software; the website is blacklisted by Google or added to some other database of malicious URLs; there is a significant change in traffic and/or drop in search engine rankings; the website doesn't work properly, displays errors and warnings; after visiting the website, computers exhibit strange behavior. It often happens that the infection remains unnoticed for a long period of time, especially in the case of more sophisticated malware. Such malware is usually heavily obfuscated in order to mislead both website administrators and security software and it constantly changes the domain names to which it redirects, bypassing the blacklisting approach. If you do not notice any of the above mentioned symptoms its a good indication that your server is clean, but please remain alert to any suspicious activities. The most reliable sign of every single infection will be the presence of malicious/suspicious code in one or more files on the server mainly HTML, PHP or JS files, but recently also ASP/ASPX. Its not easy to find this code and it requires at least a basic knowledge of programming and website development. In order to familiarize the reader with what the malicious code may look like, below are some examples of most common web injections. Source Kaspersky Lab
Another technique for executing malicious script in the user's browser is injecting a link to this script into an HTML file as the src attribute in the script or img tag:
Recently, there have been more cases where malicious code is dynamically generated and injected into the HTML files by a malicious JS or PHP script. In such cases, this code is visible only in the source view from inside the browser, but not in physical files on the server. Cybercriminals may additionally define conditions where the code has to be generated: for example, only when the user has come to the website from certain search engines or opened the website using a particular browser. In order to deceive both the website owner and security software, and to impede the analysis of malicious code, cybercriminals use a variety of different techniques of code obfuscation.
In this particular case, the malicious code has been obfuscated. After de-obfuscation, we can see that the purpose of this script is to inject an IFRAME tag, which will be used to redirect users to a malicious URL.
This method can also be used in the opposite direction cybercriminals may inject links to some illegal, shady or malicious content (like spam, spyware, pirated software and phishing) only if a search bot is visiting the website. The purpose of such an attack is so-called Black Hat SEO: a mechanism of optimizing search results for the cybercriminal's resources. Such malware usually targets high-profiled
portals with a well-elevated Page Rank; and it's rather difficult to discover, as a regular user will never be presented with the malicious code. As a result, malicious websites are highly rated by search engines and therefore they start to appear at the top of search results.
The first of these examples (Trojan-Downloader.PHP.JScript.a) injects malicious JavaScript into the code of HTML files just after one of the defined closing tags (i.e. script, div, table, form, p, body). The content of the injected script is not plainly written it's delivered in the form of numbers and stored in two arrays: $tr and $tc. The de-obfuscation is performed on-the-fly. The code generated in this manner is also obfuscated, but in a different way:
At first glance, one might think that this script has something to do with the colors displayed on the web page. Alas, this impression is completely wrong the script converts the values it stores in the div_colors array into the ASCII characters and then builds the malicious URL, which is further appended to the HTML file with the use of document.write() or document.createElement() functions. The second PHP script (Trojan.PHP.Injecter.c) is even trickier: the malicious URL is written with the use of invisible characters: space and tabulator. If we assume that space == 0 and tab == 1, we will get binary code; every 8-bit chunk of this code is a decimal representation of one ASCII character.
The script responsible for appending this code is placed in one or more JS files on the server:
In the next case, the hexadecimal form of ASCII characters was used for the obfuscation. All JS files on the server are infected with similar code:
In another popular scenario, besides the standard obfuscation methods there are also comments in Latin probably inserted there to make the script look legitimate and gain the administrator's trust although they are just a random sequences from the famous Lorem ipsum formula :)
Finally, we have a mass web malware outbreak in which random domain names are used. The code you can find on your website, if infected with this malware, looks like this:
Getting rid of the first layer of obfuscation is not very difficult, as all you need to do is to change the eval() function to the alert() function or print() function in case of console and execute it. The second layer is a bit trickier: it uses the domain name as the key to encrypt the code.
After the decryption, we can see the malicious code, followed by the original content of the file:
It happens that the malicious part is the second version of the malware mentioned in the previous example and is used to generate the pseudo-random domain name for the redirection.
Example 7: .htaccess
Instead of infecting scripts and HTML code, attackers can also use the possibilities provided by some configuration files, such as .htaccess files. In these files the administrator can define permissions to access particular folders on the server as well as redirect users to other URLs in specific circumstances (e.g. if the user-agent comes from a mobile browser, the user will be redirected to the mobile version of the website). Its not hard to guess how cybercriminals use this functionality...
In the above example, all the users who visited this website by clicking a link from most of the major search engines (HTTP_REFERER parameter) are redirected to the malicious URL. In addition, there is quite a big list of browsers and bots which will not trigger the redirection (HTTP_USER_AGENT parameter). The redirection will not occur if the web page is read from the cache (referer == cache), nor if the web page is loaded again from the same computer (the cookie parameter). Such malware can be used for even more profiled infections for example, the exact IP addresses can be excluded, so that browsing to the website from within a specific IP range for example, one belonging to a security company will return no malicious results.
modify files already on the server. The most primitive method to gain access to the server is to crack the access password. In order to do so, cybercriminals can use a so-called brute-force attack or its limited version a dictionary attack. Such tactics are usually time consuming and require a lot of resources, so this method is rarely used for mass web infections. More popular scenarios include exploiting vulnerabilities and password-stealing malware.
Removal methods
What to do if your site gets hacked? First of all, if you see any symptoms of possible infection, you should immediately deactivate your website until the problem has been resolved. This is really essential, as every moment of delay acts in favor of the cybercriminals, exposing more potential victims to the problem and spreading the infection over the Internet. You should also check the server logs to see if there is any suspicious activity, like strange requests from IP addresses located in unusual countries, and so on. It could be helpful in locating the infected files and determining how the cybercriminals accessed the server. How to fight the malicious code, then?
Backup copy
The fastest and most reliable solution is to restore all the content of the server from a clean backup copy. To make this solution effective, you must also perform a full reinstall of the software that runs on the server (like CMS / CMF, e-commerce system, etc.) and, of course, you should use the most recent, fully updated versions for that. After such action, there no infected files should remain on the server as long as you erase all the content before the recovery and your backup copy was created before the attack.
Automated scan
If you don't have a clean backup copy, there's not much of a choice but to fight the malware on your own. Fortunately, there are several automated solutions which can help you in locating the malicious code including antivirus products and online website scanners such as http://sucuri.net/. None of them is perfect, but in the case of known / common malware all of them may prove extremely helpful. To start with, you can check your website with a few online scanners. Some of them will not only confirm whether your site is indeed infected, but also point out the malicious code within your files. Then you can perform a full antivirus scan on all of your server files. If you own the server, or if there is a security solution running on the server which you have permission to use, you can perform the scan on the server side. Make sure you've made a copy of your files, as some AV scanners will delete infected files rather than disinfect them! You can also download the contents of your server to your local computer, and scan it using your desktop Internet Security solution. The second option is better, as most contemporary desktop AVs have a well-developed heuristic module. Website malware is highly polymorphic: while static signatures are almost useless against it, it can be easily detected with heuristics.
Manual removal
If an automated scan proves unsuccessful and your site is still reported as infected, the only way to get rid of the infection is to manually search for, and delete, all instances of the harmful code. It's not an easy task and it may be quite time-consuming, as you need to check every single file be it HTML, JS, PHP or configuration file for the presence of malicious scripts. The examples above are just a small fraction of all the possible forms website malware comes in, so there is a high probability that the code on your site will be either slightly or completely different. However, most contemporary website infections have some things in common, and these features may be helpful in diagnosing the problem. Most of all, you should pay attention to every piece of code that looks obscure and unreadable. Code obfuscation is a common technique for malware writers and it's relatively unusual for any other websiterelated software. If you haven't obfuscated the code yourself, you have every reason to be suspicious about it. Do be careful, though not all obfuscated code will prove malicious! Similarly, not every malicious script will be obfuscated, so you need to look for plain text IFRAMES, as well as for other links to external resources in all of your files. Some of them may be related to advertisements and statistics, but don't be fooled by the URLs they may confusingly resemble the addresses of known and trusted portals. Don't forget to check the templates of error code messages and all the .htaccess files as well. Useful tools for hunting malicious code on the server are certainly grep and find command line utilities, included by default in pretty much all Unix-based systems. Below are some examples of how to use them to diagnose the most popular infections: grep -iRs iframe * grep -iRs eval * grep -iRs unescape * grep -iRs base64_decode * grep -iRs var div_colors * grep -iRs var _0x * grep -iRs CoreLibrariesHandler * grep -iRs pingnow * grep -iRs serchbot * grep -iRs km0ae9gr6m * grep -iRs c3284d * find . -iname upd.php find . -iname *timthumb* The description of grep (taken from the Linux manual) states: print lines matching a pattern; -i option stands for ignore case; -R means recursive and -s will prevent writing error messages to the output. The first of the listed commands will look for all IFRAME tags in the files; the next three will look for the most obvious signs of obfuscation; the last ones will look for specific strings that are related to major known website infections. As for find, the Linux manual states: search for files in a directory hierarchy; the dot indicates the current directory (so you should run these commands from within the root directory or your home directory on the server) and the -iname parameter specifies the filename to look for. You may use regular expressions to find all files that meet the given criteria. Of course, you must always know what to look for not all of the results will indicate an infection. You may want to scan suspicious pieces of code with an AV scanner or try to google it its highly likely that you will find some answers, in case of both malicious and clean code. If you're still not sure whether the file is infected or not, its best to deactivate the website (just in case) and consult a specialist before taking any other action. Very important notice! Apart from cleaning the files on the server, you must remember to perform a full antivirus scan of all the computers that are being used to upload and manage the content on the server and to change all login credentials to all the server accounts (FTP, SSH, administration panels, etc.) that you maintain.
Creating frequent backups having a clean copy of server content will certainly save you a great deal of time and effort not to mention that a fairly recent backup may prove very useful when dealing with other problems, as well as infection; Regular file scanning even if there are no visible infection symptoms, it's good practice to scan all server files once in a while; Taking care of PC security as a great deal of website malware is spread with the use of infected PCs, the security of the desktop computer used to manage your website is one of the most important aspects of website security. Keeping your computer clean and safe at all times will significantly improve the chances of your website staying safe and clean as well. Server hardening if you own the server, you should pay attention to configuring it as securely as possible. Such activity may include, but is not limited to: removing all unused software; disabling all unnecessary services and modules; setting appropriate policies for users and groups; setting secure permissions / restricting access to certain files and directories; disabling directory browsing; collecting log files, which are checked for suspicious activity on a regular basis; using encryption and secure protocols. Website malware is a real nightmare for both web administrators and Internet users. Cybercriminals are constantly improving their techniques and uncovering new exploits. Infections spread very quickly across the Internet, affecting servers and workstations as well. Its true to say there is no reliable way of eliminating this threat completely. However, every single website owner and every single Internet user can make the Internet a bit safer by following basic security rules and keeping their websites and their computers safe and clean at all times.
2 comments
Oldest first Newest first Table view Threaded view
Donna J.Marn
2012 Sep 19, 01:33
Sumit Katule
2012 Sep 24, 15:37
Network ATTACK........ After the 2 network attack my coputer will be slow down,i lost my whole data and due to which i had to format it... what a rubbish anti-virus it is......
Reply
If you would like to comment on this article you must first login
securelist.com
1997-2012 Kaspersky Lab ZAO. All Rights Reserved. Industry-leading Antivirus Softw are. Registered trademarks and service marks are the property of their respective ow ners. Threats Analysis Blog Descriptions Glossary RSS feeds Contacts Search
kaspersky.com
Products eStore Threats Dow nloads Support Partners About Us Search