Malvertising is an abbreviation of malicious advertising and means that legitimate sites spread malware from their infected advertisement systems. There were many malvertising campaigns in last few years, some of them confirmed even on big sites like The New York Times, but most of them go unnoticed because they are well hidden and served only to selected users. Earlier this year, one of our top analysts found a stealth infection on a Czech entertainment site and began to watch it. We were able to obtain source code from infected sites, and I would like to show you how easily hacking is done and what can be done to secure your server.
In this case all infected servers contained OpenX (open source solution for advertisement) which has a rich history of vulnerabilities. Look, for example, at last three versions.
- In version 2.8.9 and previous versions there was a SQL injection
- Version 2.8.10 contained a hidden backdoor that allowed remote PHP execution
- The latest version 2.8.11 offers more security, but there are known vulnerabilities
In summer 2013, OpenX was re-branded as Revive Adserver and several security flaws were patched. I strongly recommend you update to the latest version (currently 3.0.0) to secure your advertisement solution from being misused by hackers.
How do they get in?
An analysis of infected web pages revealed that the attacker used SQL injection to obtain administrator log ins and passwords from the database. Then he used credentials to log in and exploited another flaw to upload a backdoor with executable extension. Actually there were more backdoors and PHP scripts hidden in various places suggesting that this server was attacked multiple times.
This picture shows all scripts and their dates of creation found on the infected page. The first three files are backdoors and tools for server control. The last two files are different; they serve as an interface to the database.
Files “inj” and “minify” seem to be two versions of the same script, which connects to the database and either removes injected scripts or add new ones. The result of this modification is an iframe appended to advertisement banners. The picture below shows a SQL query used to insert malicious java-script.
The described infection is really hard to trace, because it’s not present on the server all the time, but only in predefined times and shows only to users coming from specific zone. Read more…
This question, from a small-site owner with tens or hundreds of visitors per day, is an unfortunate but all too familiar one.
One morning I started getting emails from my customers complaining that their antivirus reported my site as infected and won’t let them in. It must be some mistake because I don’t have an e-shop. There is just a contact form and information for customers. Is it possible that someone is attacking my business?
Why do hackers attack small webpages when there are larger targets?
Small websites have a very low frequency of updates, and the possibility that somebody would find and fix malicious code is almost non-existent, which make them attractive targets to hackers. Hackers seek unpatched pages based on open-source solutions because they can attack them quickly and easily. These pages are later used for sorting users – by those who have vulnerable applications on their computer and by those who cannot be attacked – or simply to hide their true identity. Attackers close “the door” behind them by patching the vulnerability that leads them in and simultaneously create another backdoor, only for them, so the page does not show as suspicious when tested for vulnerabilities.
In general, there are three common types of hacking events a web administrator could encounter:
This type is recognizable on the first look because the site has been changed to display a message from hackers showing off their skills and mocking the web administrator. This is usually a less harmful attack, and although your page was deleted, you don’t have any financial loss because the motivation for this attack was to show the lack of security on your pages and get credit from other hackers. People which make these attacks usually follow the rule, Don’t learn to hack, hack to learn.
For example, there are PHP shells that lets you select the method and reason of defacement and post it online. The image below shows part of a PHP-shell that sends statistics.
According to statistics from Zone-H, there were 1.5 million sites defaced during 2010, and the screenshot to the right shows the reasons for the attacks. A million and half seems like big number, but these are only documented attacks and the actual number would be much higher.
During the last few years, defacement has been used to display political or ethical opinions by attacking sites with lots of daily visitors. This is turn attracts media and gets as much attention as possible. Even antivirus companies are not spared, as you can read in a recent article about the hack against AVAST.
In today’s world where malware evolves and develops rapidly, sharing security information is the key element for success. Companies which ignore this fact sooner of later suffer from the consequences of their bad decision. Malware researchers from all over the world regularly meet at various IT security conferences, where they learn from each other how to fight with malware and how to make the IT world a safer place.
“Who wouldn’t want to have more likes on their Facebook page?” This is the motivation of a very trivial code to get more likes, but while other methods usually comprise of adding better content or advertising, this one is a bit easier, and much dirtier. Why not show the like button directly beneath your mouse cursor as you browse a website, make it invisible, and move it as you move your mouse?
The only thing the victim has to do is click; if they are logged in to Facebook, they will automatically like the Facebook page. And of course, it is not only about the number of likes, but each like means the victim will get all the information about this page on their news feed (until they unlike the page), and all friends will also see that you like it – so why not check it out themselves?
This method is possible due to Like Button, a social plugin for Facebook, made by Facebook developers. It is used properly on many legitimate sites, but when combined with CSS hiding and JS moving, the victim has no other chance. If you want to know how to minimize the impact of such tactics, or if you are more into technical details, read on.
PHP.net users that would like to access php.net were unpleasantly surprised today. Google flagged the website as suspicious and users of the Google Chrome and Mozilla Firefox browsers saw a security warning when they tried to visit the website.
According to the Google diagnostic page, suspicious content was found on php.net on October 23rd, 2013. Three domains were mentioned; cobbcountybankruptcylawyer.com, stephaniemari.com, and northgadui.com (owned by the same GoDaddy account) which were said to distribute malware to visitors of the site. Read more…
A few weeks ago, I discovered and Julia warned you about a fake AVAST application which was infecting smartphones. It was hidden behind adult apps and was pretty nasty. Here is some detailed information about it.
First of all, if you look for adult applications (also known as pleasure applications J ), you can find tons of them. Some apps, especially those offered on unofficial markets, are infected by malware; in the case of the fake AVAST app, it was ransomware. The same scenario commonly plays out – after installation when you play the application for the first time, you get infected and blocked from using your phone. The app asks for money to unblock you phone. That’s typical ransomware behavior.
The clues are easy to spot
You are looking for a adult application and run across something called AVASTME.NOW. What the hell is going on here, you might think? The fact that an adult app is named after the world’s most trusted antivirus might be your first clue that something is wrong. But you install the app, even though it’s a pretty weird name for an app designed for adults. Luckily, after the installation you get an icon on your device called Porn Hub, so you start to feel satisfied you actually got what you were looking for. So let’s play it!
But this satisfied feeling does not stay forever. After the first few clicks, the application announces your phone must be checked for viruses. That‘s the second big clue that something might be wrong. Normal applications do not check your phone for viruses. But you don‘t have any choice, so you continue. That’s when you see a fake avast! Mobile Security interface which is almost identical to the original.
Here comes a third clue for sharp-eyed users: All the detections you see on the screen use a different format than AVAST. But it‘s already too late to stop the app. In the next step, you are asked to pay $100 to clean up your phone. And your device is locked.
Sloppy, but effective
This ransomware is easily packed, and it’s apparent that the creators tried to do it as quickly as possible. Strings of detections don‘t have any kind of background, and it appears that it used randomly generated names from multiple antiviruses, as you see in the screenshot below. They were even too lazy to clean up unnecessary icons from the package, so you can find a picture of a cat in it (maybe it‘s the unhappy cat of some of the creators? ) Even though the app was sloppily done, the cybercrooks were successful and earned/stole large sums of money.
This is just one example of the many applications out there waiting to steal money from you. It doesn’t have to be for adults only; basically any application might be misused against you. That‘s why everyone should be a careful and download applications only from trusted sources. Because malware like this is increasing, it especially prudent to use some kind of antivirus protection. We suggest (the authentic) avast! Mobile Security, available from the Google Play store. It’s free! You never know when you will get something like this, so install it today on your Android device.
It has been more than a year, since we last time reported about Reveton lock screen family. The group behind this ransomware is still very active and supplies new versions of their ransomware regularly.
Malware samples received in the avast! Virus Lab Wednesday show that a spoofed email which looks like it has been sent from AVAST is spreading widely. Fortunately, AVAST detects this malware as Win32:Malware[Gen] and has been blocking the virus since 12:45 pm yesterday.
The email’s subject header says, “Your Order details and Additional information,” and the email message contains standard text that is sent when a person purchases a license from AVAST. The message includes an order number that is not authenticated and does not exist in the AVAST database.
The sender’s email address is firstname.lastname@example.org. This is a fake email address and was not created by AVAST. The email contains an attachment titled avast-Antivirus-Order-Details.
Our worldwide CommunityIQ sensors automatically detected and provided information to the avast! Virus Lab about these suspicious files, and the new threat was detected and neutralized immediately. So far, our virus lab has received 12,500 malware samples.
Avoid this attack by downloading the new avast! Antivirus 2014 for free.
Everybody knows the story of the beautiful Snow White. An evil queen with a bad temper gives a young girl a poisoned apple, because she apparently thinks that it would just make her day. Poor Snow White. All she wanted was a bite of this juicy apple. I guess this one particular bite didn’t make her very happy. Anyway, she apparently made some mistakes, that I can tell. For example, if she wanted an apple, she should have just picked one from a “genuine” tree. Or she could have had someone taste the apple first, like a brave knight that’s always there for her, protecting her every second.
Yes, it’s been a while since that famous apple incident happened. Nowadays, a girl wouldn’t just accept an apple from a stranger and take a bite right away. She would at least wash it first! If she’s smart enough, she’s going to have something that tells her more about the apple.
With the magic of fairy dust and special effects, let’s transform this story into the world of mobile security.
The Snow White fairy tale came to life a few days ago, when we found a fake Apple iMessage app for Android. There are lot of apps for Apple iOS that are not released for other platforms. For example, when two people have an iPhone, they can send each other messages for free via Apple’s iMessage service. The Android alternative for that service would probably be Google’s Hangouts app. The problem occurs when you want to send a free text message from iOS to Android. Yes, there’s WhatsApp, Viber, and similar apps, but there’s no way to send an iMessage to Android, nor iMessage from Android. That problem seems to bother some people, so they are eagerly waiting for a solution. The evil queen is aware of the need, so she makes poisoned apples and hands them out for free, telling others that they are sweet, juicy, and absolutely free from poison. Yes, I’m talking about fake apps that are trying to look like official Apple apps for Android. Read more…
Today is unfortunately the last day of the Virus Bulletin 2013 conference, but it has definitely been memorable. Last night, a gala dinner was held that went on into the wee morning hours. During the dinner there was a classic performance from a dancing cabaret group and a delicious meal was served. And as continuing the tradition for VB conferences, after dinner all the participants moved to our avast! Beer Bar and attempt getting their results to a higher level.
Today’s speaking line-up was concentrated on sophisticated malware on the Windows platform, online threats, and botnets. The afternoon panel discussion was moderated by Pedram Amini, our new AVAST colleague who joined the team a few weeks ago with the acquisition of Jumpshot. The discussion was about cyberwar and what we as a security industry can do about it.
Finally, the most important information: In the first blog chronicling this event, we mentioned the 7th IT Security Table Football World Championship. I asked you to wish us luck, and now I thank you for that! It definitely helped us a lot! And here are the final results!
1. Gdata – Germany
2. Avast – Czech republic
3. Microsoft – USA
Hurray, we came in second! From such a big competition, it’s a great success for the avast! Virus Lab team, and one that we hope our colleagues (and our boss) will appreciate. For example, by buying a new football table for our office! To be ready to reclaim the AVAST honor at VB2014, we need to increase our practice time! (Next year, Gdata. Next year…)