Cyber defense starts on your private compute either at home or office. It is better to stop all malicious viruses at that entry point . This will decrease the danger of bigger damage. Here are some useful hints from the Kasparsky Labs experts.
By Marta Janus, SecureList
Mass website infections are one of the biggest problems in contemporary IT security. The size of the problem is reflected, for example, in the amount of queries to our Technical Support concerning warnings about malicious websites. Website owners usually complain that our product incorrectly blocks access to their portal and it must be a false alarm as they do not host any malicious content. Unfortunately, in most cases they are wrong and malicious scripts can indeed be found within their websites – injected into the original PHP, JS or HTML code by attackers. These scripts usually redirect visitors to the website to malicious URLs from where malware is downloaded and executed on the victim’s computer. In most cases, the execution of malware is completely invisible to the user, who sees the website appearing to operate as usual. Malicious code exploits vulnerabilities in software running on the user’s computer (like Java, Flash, PDF viewers, browser plugins, etc.) to silently install itself on an attacked machine. This method is called a “drive-by download” and has already been extensively described on Securelist.
In the following article we would like to focus on information that may help website administrators identify and remove malware from their websites.
- What is happening? Infection symptoms.
- What to look for. Examples of malicious code.
- How did it happen? Attack vectors and techniques.
- What is the purpose of it? The criminals’ goals.
- How to defeat website infection. Removal methods.
- How to prevent website infection. Website security basics.
How do you know if your website has been infected? The best symptoms are the most obvious ones:
- users complain that the website is blocked by the browser and/or security software;
- the website is blacklisted by Google or added to some other database of malicious URLs;
- there is a significant change in traffic and/or drop in search engine rankings;
- the website doesn’t work properly, displays errors and warnings;
- after visiting the website, computers exhibit strange behavior.
It often happens that the infection remains unnoticed for a long period of time, especially in the case of more sophisticated malware. Such malware is usually heavily obfuscated – in order to mislead both website administrators and security software – and it constantly changes the domain names to which it redirects, bypassing the blacklisting approach. If you do not notice any of the above mentioned symptoms it’s a good indication that your server is clean, but please remain alert to any suspicious activities.
The most reliable sign of every single infection will be the presence of malicious/suspicious code in one or more files on the server – mainly HTML, PHP or JS files, but recently also ASP/ASPX. It’s not easy to find this code and it requires at least a basic knowledge of programming and website development. In order to familiarize the reader with what the malicious code may look like, below are some examples of most common web injections.
Attack vectors and techniques
Regardless of which technique they use,criminals need to find a way to drop malicious files, or modify files already on the server. The most primitive method to gain access to the server is to crack the access password. In order to do so, cybercriminals can use a so-called brute-force attack or its limited version – a dictionary attack. Such tactics are usually time consuming and require a lot of resources, so this method is rarely used for mass web infections. More popular scenarios include exploiting vulnerabilities and password-stealing malware.
Use of vulnerabilities in content management / e-commerce systems
Most contemporary web management platforms (like CMS, e-Commerce, control panels, etc.) are not perfect and contain vulnerabilities that let someone upload files to the server without any authentication. Such vulnerabilities are discovered on a regular basis, while patches are released too slowly; moreover a lot of users still use older, much more bug-infested versions of software. As the most targeted platforms we may consider the most popular ones – like WordPress, Joomla and osCommerce. An infamous example of such a vulnerability is the TimThumb vulnerability, which was widely used by cybercriminals in various drive-by download scenarios. TimThumb is the PHP module for resizing images and creating so-called thumbnails and is included in most of the public CMS templates. The vulnerability allowed files from a remote location to be written into the cache directory on the server. Another example is the SQL injection vulnerability in Plesk Panel (versions 10 and older), discovered in February 2012, that makes it possible to read databases and steal passwords, which were – until recently – stored in plain text.
Use of spyware designed to steal FTP credentials
In most widespread web infections (such as Gumblar and Pegel) a different method has proven successful. In the first stage, cybercriminals propagate malware that is specially designed to look for and steal usernames and passwords to FTP accounts either by checking the FTP client settings or by sniffing the network traffic. Once the malware finds these credentials, it connects to the FTP server and uploads malicious scripts, or overwrites original files with infected versions. It goes without saying that until the account holder’s computer is disinfected, files on the server will be re-infected all over again, even after changing the login details and restoring all content from a clean backup.
The cybercriminals’ goals
What’s the purpose of spreading web malware?
- to redirect users to exploits in order to silently install malware on their computer;
- to redirect users to spam, phishing and other malicious, illegal or unwanted content;
- to hijack the site traffic / search traffic;
- to promote malicious / illegal / spam websites (Black Hat SEO);
- to use server resources for illegal activity.
Generally speaking, there’s nothing new here: it’s indirect financial gain that drives cybercriminals to infect websites.
What to do if your site gets hacked? First of all, if you see any symptoms of possible infection, you should immediately deactivate your website until the problem has been resolved. This is really essential, as every moment of delay acts in favor of the cybercriminals, exposing more potential victims to the problem and spreading the infection over the Internet. You should also check the server logs to see if there is any suspicious activity, like strange requests from IP addresses located in unusual countries, and so on. It could be helpful in locating the infected files and determining how the cybercriminals accessed the server. How to fight the malicious code, then?
The fastest and most reliable solution is to restore all the content of the server from a clean backup copy. To make this solution effective, you must also perform a full reinstall of the software that runs on the server (like CMS / CMF, e-commerce system, etc.) – and, of course, you should use the most recent, fully updated versions for that. After such action, there no infected files should remain on the server – as long as you erase all the content before the recovery and your backup copy was created before the attack.
If you don’t have a clean backup copy, there’s not much of a choice but to fight the malware on your own. Fortunately, there are several automated solutions which can help you in locating the malicious code – including antivirus products and online website scanners such as http://sucuri.net/. None of them is perfect, but in the case of known / common malware all of them may prove extremely helpful. To start with, you can check your website with a few online scanners. Some of them will not only confirm whether your site is indeed infected, but also point out the malicious code within your files. Then you can perform a full antivirus scan on all of your server files. If you own the server, or if there is a security solution running on the server which you have permission to use, you can perform the scan on the server side. Make sure you’ve made a copy of your files, as some AV scanners will delete infected files rather than disinfect them! You can also download the contents of your server to your local computer, and scan it using your desktop Internet Security solution. The second option is better, as most contemporary desktop AVs have a well-developed heuristic module. Website malware is highly polymorphic: while static signatures are almost useless against it, it can be easily detected with heuristics.
If an automated scan proves unsuccessful and your site is still reported as infected, the only way to get rid of the infection is to manually search for, and delete, all instances of the harmful code. It’s not an easy task and it may be quite time-consuming, as you need to check every single file – be it HTML, JS, PHP or configuration file – for the presence of malicious scripts. The examples above are just a small fraction of all the possible forms website malware comes in, so there is a high probability that the code on your site will be either slightly or completely different. However, most contemporary website infections have some things in common, and these features may be helpful in diagnosing the problem.
Most of all, you should pay attention to every piece of code that looks obscure and unreadable. Code obfuscation is a common technique for malware writers and it’s relatively unusual for any other website-related software. If you haven’t obfuscated the code yourself, you have every reason to be suspicious about it. Do be careful, though – not all obfuscated code will prove malicious!
Similarly, not every malicious script will be obfuscated, so you need to look for plain text IFRAMES, as well as for other links to external resources in all of your files. Some of them may be related to advertisements and statistics, but don’t be fooled by the URLs – they may confusingly resemble the addresses of known and trusted portals. Don’t forget to check the templates of error code messages and all the .htaccess files as well.
Useful tools for hunting malicious code on the server are certainly grep and find – command line utilities, included by default in pretty much all Unix-based systems. Below are some examples of how to use them to diagnose the most popular infections:
grep -iRs “iframe” * grep -iRs “eval” * grep -iRs “unescape” * grep -iRs “base64_decode” * grep -iRs “var div_colors” * grep -iRs “var _0x” * grep -iRs “CoreLibrariesHandler” * grep -iRs “pingnow” * grep -iRs “serchbot” * grep -iRs “km0ae9gr6m” * grep -iRs “c3284d” * find . -iname “upd.php” find . -iname “*timthumb*”
The description of grep (taken from the Linux manual) states: print lines matching a pattern; -i option stands for ignore case; -R means recursive and -s will prevent writing error messages to the output. The first of the listed commands will look for all IFRAME tags in the files; the next three will look for the most obvious signs of obfuscation; the last ones will look for specific strings that are related to major known website infections.
As for find, the Linux manual states: search for files in a directory hierarchy; the dot indicates the current directory (so you should run these commands from within the root directory or your home directory on the server) and the -iname parameter specifies the filename to look for. You may use regular expressions to find all files that meet the given criteria.
Of course, you must always know what to look for – not all of the results will indicate an infection. You may want to scan suspicious pieces of code with an AV scanner or try to google it – it’s highly likely that you will find some answers, in case of both malicious and clean code. If you’re still not sure whether the file is infected or not, it’s best to deactivate the website (just in case) and consult a specialist before taking any other action.
Very important notice! Apart from cleaning the files on the server, you must remember to perform a full antivirus scan of all the computers that are being used to upload and manage the content on the server and to change all login credentials to all the server accounts (FTP, SSH, administration panels, etc.) that you maintain.
Website security basics
Unfortunately, in most cases cleaning out the malicious code is not enough to get rid of the infection once and for all. Once your website gets compromised, it probably means that there are some vulnerabilities that allowed cybercriminals to drop or inject malicious scripts on the server; and if you pay no attention to them, you can expect new infections in the near future. To prevent this from happening, you need to take appropriate action in order to secure your server and the computer(s) used to connect to the server account.
- Using strong passwords – however trivial it may sound, this really is the foundation of server security. Passwords should not only be changed after any malware incident and/or attack on the server – you should change them on a regular basis – say, once a month. A good password should meet specific criteria, which you can read about on our web site;
- Being up-to-date – the next thing to remember is to perform regular updates. Cybercriminals tend to exploit vulnerabilities in software, no matter whether the malware is aimed at PC users or at websites and web servers. All the software that you manage from your server account should be the newest possible versions and every single security patch should be applied as soon as they are released. Keeping all software fully patched and up-to-date will decrease the risk of an exploit-based attack. A regularly updated list of known vulnerabilities can be found on cve.mitre.org;
- Creating frequent backups – having a clean copy of server content will certainly save you a great deal of time and effort – not to mention that a fairly recent backup may prove very useful when dealing with other problems, as well as infection;
- Regular file scanning – even if there are no visible infection symptoms, it’s good practice to scan all server files once in a while;
- Taking care of PC security – as a great deal of website malware is spread with the use of infected PCs, the security of the desktop computer used to manage your website is one of the most important aspects of website security. Keeping your computer clean and safe at all times will significantly improve the chances of your website staying safe and clean as well.
- Server hardening – if you own the server, you should pay attention to configuring it as securely as possible. Such activity may include, but is not limited to:
- removing all unused software;
- disabling all unnecessary services and modules;
- setting appropriate policies for users and groups;
- setting secure permissions / restricting access to certain files and directories;
- disabling directory browsing;
- collecting log files, which are checked for suspicious activity on a regular basis;
- using encryption and secure protocols.
Website malware is a real nightmare for both web administrators and Internet users. Cybercriminals are constantly improving their techniques and uncovering new exploits. Infections spread very quickly across the Internet, affecting servers and workstations as well. It’s true to say there is no reliable way of eliminating this threat completely. However, every single website owner and every single Internet user can make the Internet a bit safer by following basic security rules and keeping their websites and their computers safe and clean at all times.
For full article, including examples, click here: