Malvertising is an abbreviation of malicious advertising and means that legitimate sites spread malware from their infected advertisement systems. There were many malvertising campaigns in last few years, some of them confirmed even on big sites like The New York Times, but most of them go unnoticed because they are well hidden and served only to selected users. Earlier this year, one of our top analysts found a stealth infection on a Czech entertainment site and began to watch it. We were able to obtain source code from infected sites, and I would like to show you how easily hacking is done and what can be done to secure your server.
In this case all infected servers contained OpenX (open source solution for advertisement) which has a rich history of vulnerabilities. Look, for example, at last three versions.
- In version 2.8.9 and previous versions there was a SQL injection
- Version 2.8.10 contained a hidden backdoor that allowed remote PHP execution
- The latest version 2.8.11 offers more security, but there are known vulnerabilities
In summer 2013, OpenX was re-branded as Revive Adserver and several security flaws were patched. I strongly recommend you update to the latest version (currently 3.0.0) to secure your advertisement solution from being misused by hackers.
How do they get in?
An analysis of infected web pages revealed that the attacker used SQL injection to obtain administrator log ins and passwords from the database. Then he used credentials to log in and exploited another flaw to upload a backdoor with executable extension. Actually there were more backdoors and PHP scripts hidden in various places suggesting that this server was attacked multiple times.
This picture shows all scripts and their dates of creation found on the infected page. The first three files are backdoors and tools for server control. The last two files are different; they serve as an interface to the database.
Files “inj” and “minify” seem to be two versions of the same script, which connects to the database and either removes injected scripts or add new ones. The result of this modification is an iframe appended to advertisement banners. The picture below shows a SQL query used to insert malicious java-script.
The described infection is really hard to trace, because it’s not present on the server all the time, but only in predefined times and shows only to users coming from specific zone. Read more…
This question, from a small-site owner with tens or hundreds of visitors per day, is an unfortunate but all too familiar one.
One morning I started getting emails from my customers complaining that their antivirus reported my site as infected and won’t let them in. It must be some mistake because I don’t have an e-shop. There is just a contact form and information for customers. Is it possible that someone is attacking my business?
Why do hackers attack small webpages when there are larger targets?
Small websites have a very low frequency of updates, and the possibility that somebody would find and fix malicious code is almost non-existent, which make them attractive targets to hackers. Hackers seek unpatched pages based on open-source solutions because they can attack them quickly and easily. These pages are later used for sorting users – by those who have vulnerable applications on their computer and by those who cannot be attacked – or simply to hide their true identity. Attackers close “the door” behind them by patching the vulnerability that leads them in and simultaneously create another backdoor, only for them, so the page does not show as suspicious when tested for vulnerabilities.
In general, there are three common types of hacking events a web administrator could encounter:
This type is recognizable on the first look because the site has been changed to display a message from hackers showing off their skills and mocking the web administrator. This is usually a less harmful attack, and although your page was deleted, you don’t have any financial loss because the motivation for this attack was to show the lack of security on your pages and get credit from other hackers. People which make these attacks usually follow the rule, Don’t learn to hack, hack to learn.
For example, there are PHP shells that lets you select the method and reason of defacement and post it online. The image below shows part of a PHP-shell that sends statistics.
According to statistics from Zone-H, there were 1.5 million sites defaced during 2010, and the screenshot to the right shows the reasons for the attacks. A million and half seems like big number, but these are only documented attacks and the actual number would be much higher.
During the last few years, defacement has been used to display political or ethical opinions by attacking sites with lots of daily visitors. This is turn attracts media and gets as much attention as possible. Even antivirus companies are not spared, as you can read in a recent article about the hack against AVAST.
Many internet users employ simple tricks when they want to find some interesting software or computer game. They type the desired program’s name into the search bar, add the word “download” and hit enter. In most cases, the first few results from the search engine usually belong to free download servers.
I recently followed some of these links to visit the web pages hidden behind the words “free download” and was amazed at the techniques used to manipulate users. It’s not only the advertising pages you are forced to visit the instant you load the page, but if you are not careful, various sorts of malware or adware are installed to your computer without your notice. Let’s take a closer look at the shady practices you can expect from free download servers.
Download what? They really want you to look at the advertising!
On the screenshot below, you see a standard download page, but if you click anywhere else on the page, a large advertising window will pop up in the background. The big DOWNLOAD button on the top part of page will redirect you to another advertising page. The only way to get close to the actual download you want is to click on the gray button named “Slow Speed Download”. After that you must wait 45 seconds. The only reason for the delay is to give you time to think about using premium account for a “High Speed Download” and look at banners. How nice of them…
The next screenshot displays a page where you are supposed to write a CAPTCHA code. CAPTCHA is used to verify that the page visitor is human and not a computer bot seeking information, but in this case the only reason for CAPTCHA is to show you yet another advertising popup window. If you click on the input labeled “Your Answer”, a popup will be displayed automatically. Now we are closer to our desired file download, just not using the traditional way. Let me recap:
- Just ignore the large download button
- Type the text from the CAPTCHA picture
- Click the “Send” button
But don’t think you’re done, because the advertising nightmare is not over.
On the last screenshot from this page you see the final download button. There is however another catch. Not surprised, are you? Read the last line beside the checkbox carefully. This means that when you click the download button, it will start a download, just not your file. It will download only their manager, where you will install more adware directly to your computer. Oh goody.
TIP: Every time you start a file download from the internet, check if it has the right name and extension.
When I inspected similar sites to this one, many executable files popped up, even if I was looking for a RAR package. They are disguised as Archivers, Codec packages, or Download managers and had one thing in common – they try to confuse the user with clever sentences and hidden check boxes.
Everything but the download
I tested several dozen of these fake download buttons and not surprisingly, acquired a few new executable files. The download buttons redirected me to pages containing a registration for a game, an online casino, all sorts of medical products, and once, a chance to win a free iPhone in exchange for my mobile phone number. I did not gave them my phone number because the only thing I could win would be SMS advertisements or an attack on my privacy from some sort of mobile-oriented malware.
One big download button redirected me to page where an automatic download started. The page stated that this is an installer for a well-known archiver. As this screenshot shows, there is simple tutorial on the page which shows the user how to execute the file without thinking further. But what this tutorial really shows is how to ignore a security warning and let a potentially dangerous application install onto your computer!
This installer had other applications bundled, so when I started to install it, the first screen offered me a toolbar for my internet browser. There are only a few things less useful than a toolbar, because all its functions are already available in every internet browser.
On the next screenshot you can see what happens if you don’t want to install this toolbar. Another dialog designed to discourage you from skipping the installation by implying that this will abort the whole install.
If you think you want a toolbar installed, I suggest you read the license agreement which often offers very amusing content. In section 4. it states that the toolbar is not considered secure, and I can tell you why! Because the only thing that matters to the author of applications like this one is profit.
At the end of the installation, where I choose only to install the packer and nothing else, all the files listed in the last screenshot were downloaded to my computer and executed. None of these files were removed after installation and some of them are set to start automatically after the computer starts.
There is also a proxy server enabled and updated in my windows registry and program which I did not agree to install. Except for 7z and sweetim, there was not even a notice about the other programs. I don’t think this is the way a normal application installer should work.
Many free download servers are active on the internet today, but none of them give you anything actually for free. You will pay for them with your personal data or computing time when malware attacks. You should always bear in mind that there are just a few really free things on the internet, fortunately avast! Free Antivirus is one you can count on.
The application I just described can be found on Virus Total under the following SHA256: