ðòïåëôù 

  áòèé÷ 

Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 

  ðåòóïîáìøîïå 

  ðòïçòáííù 

ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: More about mass web infections

http://isc.sans.org/diary.html?n&storyid=3864

 More about mass web infections
Published: 2008-01-18,
Last Updated: 2008-01-18 09:27:53 UTC
by Bojan Zdrnja (Version: 1)

Couple of days ago Mari posted a diary 
(http://isc.sans.org/diary.html?storyid=3834) about mass web infections; other 
sources like the Register reported about the same thing.

I've been playing with one compromised web site today and was trying to figure 
out what the infection vector is.

Some general information first. On all compromised sites the bad guys installed 
a server side script. This script embeds a script tag pointing to another 
JavaScript file on the same server, hosting various exploits. This script is 
randomly generated. The compromised server also caches the IP address of the 
client so subsequent requests for the same page from the same IP address will 
not contain the script tag to the malicious JavaScript file. So, the first 
visit to a compromised web site will include the link:

<body>
<script language='JavaScript' type='text/javascript' src='egmjh.js'></script>
<div id="page">

While subsequent visits will not:

<body>
<div id="page">

The JavaScript file has some trivial obfuscation, what's interesting is that 
they created a generic part which handles the final URL that will be used to 
download the malware from:

var arg="mvdrzjyh";
var MU = "http://"; +document.location.hostname + "/" + arg;
var MU2 = "\"" + MU + "\"";

The MU2 variable is then inserted in the exploit code (which is split using the 
escape() calls). This makes the exploit code "universal" - it works on every 
compromised server and the server side script only has to set the arg parameter 
(the name of the final binary that gets pulled and executed on a vulnerable 
client) as the hostname will be set automatically by the browser. The rest is 
simple (and has been written about by others so I won't spend time on that) - 
the script tries to exploit multiple vulnerabilities and if successful will 
result in the binary executed on the system.

Another interesting thing is that the binary seems to be repacked on the 
compromised system as well. I pulled couple of binaries from different clients 
and every time received a different sample (and AV detection was pretty poor).

Two main questions are still not answered here: how do those servers get 
initially compromised and what kind of server side application do the bad guys 
install?

There has been a lot of speculation about server side stuff. Some sources claim 
that compromised servers are running a rootkit and an evil Apache module that 
does this JavaScript injection and random file generation on the fly.

So a call for samples/logs/packets - if you have access to one of the 
compromised servers we would appreciate any information that can help resolving 
this.

--

Bojan

 



Copyright © Lexa Software, 1996-2009.