Mass web infection leaves researcher scratching her head
Issues call to arms
Security maven Mary Landesman is in the midst of piecing together a who-done-it involving the infection of hundreds of websites that are generating an enormous amount of traffic. Or maybe it's a how-done-it. Either way, she's mostly drawing blanks.
Landesman is a researcher for ScanSafe, a company that monitors the web surfing of employees at large companies and provides them with real-time intelligence about what sites are spreading malware. When a client visits a site that has already attacked someone else, the service automatically blocks the site from loading in the end user's browser. Viewing some seven billion web requests per month, company researchers see a fair amount of internet gremlins.
Over the past four days, 15 per cent of the blocked malicious traffic has come from just a few hundred sites, which appear to be legitimate ecommerce destinations that have been compromised by attackers. This prompted Landesman to do some digging, and what she uncovered is unlike anything she's seen before.
For one thing, the sites themselves are hosting the malware, which is then foisted on visitors. Most of the time attackers are unable to gain such a high degree of control over the sites they hack, so they redirect end users to servers under the control of bad guys and use them to drop malicious payloads.
"I'm stumped," Landesman says. "This is a very different method of infecting the user. I want to find out how they're doing it and what is the common link between these sites."
So far, Landesman and other researchers have found no visible thread that ties the disparate group of mom-and-pop sites together. With addresses such as dubai.travel-culture.com, operationultimategoal.com and directline-citybreaks.co.uk, the sites are mostly based in the UK, but some also hail from India, Brazil and elsewhere. They don't use the same web host, and while most use web serving software from Apache, the versions vary widely, making it unlikely that attackers are exploiting a vulnerability in that program.
The outbreak coincides with another mass infection in progress that's infected tens of thousands of pages, including those of Boston University, security provider Computer Associates, and agencies from the state of Virginia and the city of Cleveland. It infects websites running Microsoft's Internet Information Server web program and the company's SQL database with links the redirect users to servers in China. The malicious sites then try to install keylogging software and other nasties.
As massive as that infection is, it's responsible for less than one per cent of the malicious traffic that ScanSafe has blocked over the past four days, a small fraction compared with the mystery sites Landesman is tracking.
The constant flux makes it impossible for researchers to access the script responsible for delivering the payload or running Google searches that might provide a more comprehensive list of other sites that might be affected.
The script looks for various vulnerabilities specific to the visiting OS, and when it finds one pulls a .Mov file from the domain dedicated.abac.net. That in turn invokes a file from bds.invitations.fr, which installs a backdoor on end users' machines. Victims are unlikely to know they've been infected because the installation is clear and seamless, and the malware uses few PC resources. At last check, only three of 33 antivirus programs detected the malware, which appears to be a derivitive of the Rbot Trojan.
"This is pretty nasty," Landesman says. "It's a new type of compromise, and a pretty significant one." And so far very little is understood about it.
Below is a more comprehensive (though not exhaustive) list of the sites identified as infected. If you can help shed some much-needed light on these attacks, please leave a comment below or contact your reporter using this link.
hxxp://dubai.travel-culture.com/ hxxp://operationultimategoal.com/ hxxp://www.abdet.com/maps/maps-france.html hxxp://www.ace-cranes.com/ hxxp://www.aprazivel.com.br/ hxxp://www.bellingerfurniture.co.uk/ hxxp://www.bmw-carparts.co.uk/ hxxp://www.careinternational.com/ hxxp://www.directline-citybreaks.co.uk/ hxxp://www.directline-holidays.co.uk/ hxxp://www.directline-skiing.co.uk/ hxxp://www.emtbravo.com/ hxxp://www.flintoak.com/ hxxp://www.gujarat.com/recipes/ hxxp://www.henrykaye.co.uk/Cheap-bridesmaid-dresses-and-flowergirl-dresses hxxp://www.hungatecottages.co.uk/the_cottages.html hxxp://www.inthe80s.com/moviequotes/f.shtml hxxp://www.islandescapeholidays.co.uk/Dubai hxxp://www.london-discount-hotel.com/hotelinfo_id__106 hxxp://www.london-discount-theatre.com/productions hxxp://www.moorgateacoustics.co.uk/ hxxp://www.njaiche.org/main.html hxxp://www.noorcapitaluae.com/ hxxp://www.paddingtoncourt.com/ hxxp://www.panacheshoes.co.uk/ hxxp://www.peshawarjobs.com/ hxxp://www.propertyauctions.co.uk/ hxxp://www.propertyworld.com/_Bermuda hxxp://www.quaife.co.uk/Gallery hxxp://www.reallybored.net/ hxxp://www.sharpindialimited.com/dealer-locator.php hxxp://www.thirlmeremeats.com.au/family.htm hxxp://www.thirlmeremeats.com.au/special.htm hxxp://www.travel-culture.com/airblue/ hxxp://www.vauxallparts.co.uk/ hxxp://www.yournewhome.co.uk/Swan-Hill-Homes-Ltd ®
That sounds like Ken Thompson's "reflections on trusting trust" paper. And what it comes down to is this: Anything compiled with a tainted compiler is liable to be compromised, and may behave in ways other than suggested by the Source Code.
The way around it, if you don't trust the compiler, is to rewrite the compiler -- starting from clean Source Code -- in straight assembler. You know it's clean because you wrote it. Nothing compiled with a "clean" compiler will do anything that was not in the Source Code.
But there's another way that takes a little bit less hard work. All you really need is to write in assembler is a *partial* C *interpreter*: it only has to be able to interpret enough of the language to run the compiler Source Code interpretatively. It doesn't matter if it's slow, because it only needs to be run once. You know the interpreter is clean because you wrote it, and you know that the interpreted compiler is also clean because you checked the Source Code. Therefore, you know you will be compiling a "clean" compiler.
Well, at least to the extent that you trust the silicon .....
Depending on the sophistication of the backdoor, even a C interpreter written in C might be enough protection (since the compiled compiler is never seeing compiler Source Code; only the interpreter Source Code, which it probably doesn't know about.)
You're right in saying that a compile only system doesn't protect you from everything, but that is no reason not to think it's a good idea anyway. Seat belts don't protect you from your car going on fire, but that's not a good reason not to wear one.
@ A J Stiles
Until someone slips code into GCC.
Its been done before, as a proof of concept.
A backdoor was inserted into the 'login' program on a Unix system - this was detectable in the source, however, so he modified the compiler to insert the backdoor at compile time. Clean source built with that compiler would still have the backdoor.
He went even further though - the backdoor code was still visible in the source code for the compiler, so he modified the compiler further, to insert the backdoor in itself when compiled.
He then built a new compiler with fresh, unmodified code and his hacked compiler. This produced a compiler from clean source that contained the backdoor, and would insert the backdoor in any copy of the compiler that it compiled, and any of those compilers would insert the backdoor in 'login'. No source code audit would ever detect it.
Starting fresh from source still needs a compiler, and that compiler can be enough to exploit the entire system.
Not saying it'd be easy to do, but a compile only system doesn't protect you from everything.
I am getting a number of hits when testing with NIS2008 from each of those sites. Some appear to have been cleaned up:
- Gretech GOMPlayer openURL BO
- MSIE ADODB.Stream Object File Installation Weakness
- VML BO
- MSIE WebViewFolderIcon BO
- MSIE RealPlayer sometihing..
- QuickTime something
- AOL Superbuddy BO
There were a couple of others.