Beginning on May 5th, ScanSafe has observed numerous instances of a variant of the SpyEye family of trojans being delivered via email. The overwhelming majority of these are delivered via corp mail; very little have been observed via free webmail services.

The rate of encounter suggests the mail may be getting through corp spam filtering at the affected locations. The body of the email contains a link that downloads a zip file containing the malware. The malware appears to be hosted on compromised websites in the following folder location:

compromiseddomain\order\Order.zip

The zip itself extracts into an executable. However, a double extension ruse combined with multiple spaces makes it appear as if the file is actually a .doc file. (The spaces push the .exe extension off the screen). Obviously this could trick many users into attempting to open the “doc” in which case they will actually infect their PC with the SpyEye trojan.

ScanSafe detects and blocks this malware as:

Mal/BredoZp-B
Mal/EncPk-YJ
Trojan.Win32.Menti.gjgn
Trojan-Spy.Win32.SpyEyes.hdy

First observed encounter was 05-may-11 at 11:38:05GMT.

• A total of 42 malware domains have been observed during the 7 months this attack has been ongoing;
• The first encounter Cisco ScanSafe recorded was 20-sep-10 21:58:08 GMT;
• Only 0.15% (zero point one five percent) have involved encounters with functional / active malware domains;
• 99.85% of encounters have involved malware domains that were non-resolvable (shutdown / offline) at the time of encounter;
• 55% of the encounters occurred on March 25th when the Lizamoon domain was added;
• The high rate of encounters on the 25th was solely due to a single high profile website that was compromised;
• Of the Lizamoon encounters on March 25th, only 0.13% were encounters with the live domain. 99.87% were non-resolvable (i.e. the domain was offline / not delivering content).

Here's the current list of domains we've observed in these attacks, from September 2010 through March 31, 2011:

agasi-story.info
alexblane.com
alisa-carter.com
ave-stats.info
books-loader.info
eva-marine.info
extra-911.info
extra-service.info
general-st.info
google-stat50.info
google-stats44.info
google-stats45.info
google-stats47.info
google-stats48.info
google-stats49.info
google-stats50.info
google-stats54.info
google-stats55.info
google-stats73.info
lizamoon.com
milapop.com
mol-stats.info
multi-stats.info
online-guest.info
online-stats201.info
people-on.info
pop-stats.info
security-stats.info
social-stats.info
sol-stats.info
star-stats.info
stats-master11.info
stats-master111.info
stats-master88.info
stats-master99.info
system-stats.info
t6ryt56.info
tadygus.com
tzv-stats.info
urllizamoon--com.rtrk.co.uk
world-stats598.info

The battle to cash in on Prince William’s impending marriage to Kate Middleton has already begun, with an array of royal memorabilia set to flood the market.

My first thought on reading this was that malware and scammers will be even quicker to cash in. Indeed, many are proclaiming that Prince William's and Kate Middleton's wedding (set for sometime next spring) will be the biggest marital event since Princess Di and Prince Charles. With that in mind, it's important to remember three important thingst:

1. Major breaking news events are favorite themes for malware purveyors and scammers;
2. Clicking unsolicited links in email and IM are a frequent path of infection;
3. Criminals work fast - expect your favorite search engine to already be sprinkled liberally with malicious results regarding the engagement and upcoming nuptials.

Cisco ScanSafe research indicates that 3 out of every 100 malware encounters results from people clicking unsolicited malicious links in email, IM and social messaging, and 10 out of evey 100 encounters occur via search engine results. Bottom line - think before you click, consider the source, and pay attention to the destination URL. By following this advice, hopefully you can toast to the happy couple without toasting your computer.

 Dear Bank of America Customer,

We recently have determined that different computers have logged in your Bank of America Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by July 31st, 2010, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. In order to confirm your Online Bank records, we may require some specific information from you.

To restore your account, please Sign in to Online Banking.

Here's where victims get sauced. The link behind "Sign in to Online Banking" actually points to gramsbbq.org/bain. Now grambbq.org is the legitimate website for Gram's Mission Barbecue Palace in Riverside, CA. The gramsbbq.org/bain page is a 302 redirect that leads to a phishing page hosted on a second compromised site: chasingarcadia.com (the website for Canadian band Chasing Arcadia). The actual phishing page is at:

http://www.chasingarcadia.com/channel/safe.sslbankofamerica.com/index.htm

This use of compromised sites as redirectors and phishing host enables the attackers to bypass reputation filters and/or community-based trust reporting. And it increases the collateral damage, because if/when the compromised sites are blacklisted, those businesses could suffer as a result.

Anyway, in some of the reports, one of the sites claimed to be compromised was that of the Wall Street Journal (WSJ.com). However, ScanSafe investigation reveals the SQL injection attack that appeared on certain pages of the WSJ site weren't the result of compromise on WSJ directly, but rather the result of compromise of a third-party partner.

That partner, adicio.com, provides real estate listings that are in turn displayed on certain pages of the WSJ.com website.

Of course, from a site visitor's perspective, this might seem a bit semantic. But still, it is worth pointing out that it wasn't really wsj.com that was compromised.

script src=http://ww.robint.us/u.js

Search on the full iframe with quotes and you get about 7k hits in Google. But search on just the domain name or omit the quotes and you get over a million hits. That's because the more generic search picks up any page that mentions the domain or includes any mix of those keywords. This loosely constructed search mistake causes some to believe the attack is much larger than it really is.

Certainly 7k Web pages compromised is nothing to sneeze at but it's certainly not a million pages and certainly nothing new - many of these same compromised pages have been repeatedly compromised in one SQL injection attack after another since 2007.

On a more positive note, when SQL injection attacks first went mainstream a few years back, it wasn't uncommon to see a million+ pages compromised in a single attack. From that perspective, 7k is a vast improvement and shows that at least many sites are paying attention and taking the appropriate security measures. On the downside, attacks like robint.us are just one of over a thousand unique attacks carried out via the Web each month.

• 16196 unique malicious domains.
• The top ten malicious domains comprised 23% of all Web malware attacks in May 2010.
• Five of the top ten were related to attacks against GoDaddy-hosted websites, for a total of 14% of all Web malware in May 2010.
• Top Web malware was Trojan.JS.Redirector.cq, the majority of which resulted from attacks against GoDaddy-hosted websites.
• Gumblar was the second most prevalent Web malware encountered, at 7%.
• Third most prevalent Web-distributed malware encountered was Backdoor.Win32.Alureon, at 6%.

Top Ten Malicious Domains, May 2010

holasionweb.com* - 7%
www.sitepalace.com - 3%
losotrana.com* - 2%
indesignstudioinfo.com* - 2%
kdjkfjskdfjlskdjf.com* - 2%
easfindnex.org - 2%
findermar.org - 2%
76.73.33.109 - 2%
findrasup.org - 1%
zettapetta.com* - 1%

*Related to attacks against GoDaddy-hosted websites

Top Ten Web Malware, May 2010

Trojan.JS.Redirector.cq - 14%
Exploit.JS.Gumblar - 7%
Backdoor.Win32.Alureon - 6%
Exploit.Java.CVE-2009-3867.d - 3%
Trojan.JS.Redirector.at - 3%
Downloader.JS.Agent.fhx - 2%
OI.Backdoor.Win32.Autorun.cx - 2%
OI.Win32.Susp.ms - 2%
Trojan.Iframe.f - 2%
Trojan.GIFIframe.a - 2%

The v3p2.com attack drops a cookie to track victims, checks for the presence of Rising AV or 360Safe antivirus, then exploits the "use after free" vulnerability in Microsoft Internet Explorer versions 6 (including SP1) and 7 (CVE-2010-0806 / MS10-018).

Successful exploit leads to the silent installation of a data theft trojan delivered from n9uo.com. Both attack domains - v3p2.com and n9uo.com - were registered on May 7th. Referrers to the v3p2.com domain indicated the attack was originating from the popular greatandhra.com website.

Coincidentally (or not), greatandhra.com was mentioned on Hack Forums (tagline Packets, Punks, and Posts) on May 2nd for having a vulnerable/accessible mysql.user root entry. A subsequent post to the thread (also on May 2nd) by someone using the moniker jfmherokiller claimed shell access had been gained.

First encounters resulting from these attack began on May 10th, eight days after the initial allegations that root access to greatandhra.com had been gained and three days after the v3p2.com and n9uo.com malware domains were registered.

1 & 1
DreamHost
In2Net
Hostway
Media Temple
ServerBeach

and several others. While many of the compromised sites are using WordPress, some are not.

The two main attacks are: (1) the Google / WordPress pharma attacks and (2) the Grepad.com family of attacks that netted Network Solutions hosted sites, some U.S. Treasury sites, and many, many popular niche 'mom and pop' style sites.

Google / WordPress Pharma Hacks

In the Google / WordPress pharma attack, the attackers are targeting popular Web pages and modifying the title tag of those pages to include a pharmaceutical sales pitch. Searches that would normally cause the legitimate site to appear in search engine results pages (SERPs) will also include the manipulated title tag. The link itself still points to the legitimate site, but modifications on the compromised site will cause an automatic redirect to the pharmaceutical site.

Note that many of the sites that appear in Google SERPs for these title tags are not necessarily compromised. Quite often, blog and forum comments will adopt the title tag of the post and spammers are using these same tags. For those that are compromised, currently the redirect points to "thepharmacydiscount.com/group/bestsellers.html?said=compromised.com" where compromised.com equals the name of the legitimate (but compromised site) that is delivering the redirect.

The point behind the Google / WordPress pharma attacks is to leverage the popularity ranking of the compromised sites, which boosts the SERPs ranking for the pharma keywords used.

Grepad.com Attacks

The intent of the Grepad.com family of attacks is not to gain favorable placement in SERPs to peddle counterfeit viagra, but rather to download malware to the site visitors' PCs. Pages on the compromised websites are embedded with hidden iframes that load content from the malware domain. Multiple malware domains have been used in these attacks, including grepad.com, ginopost.com, bigcorpads.com, binglbalts.com, corpadsinc.com, hugeadsorg.com, mainnetsoll.com  and networkads.net. Exploits of multiple vulnerabilities are attemped in order to download this malware. A list of observed exploits can be found in this blog post.

Commonalities Between Attacks

In both sets of attacks, the attackers are filtering based on whether the clickthrough to the site is human or a search spider. In the pharma attacks, the malformed title is only presented to search spiders and the redirect only occurs if you click the link from SERPs. If you visit the site directly, by typing in the URL or from a non-SERPs link on another site, the legitimate page will load normally.

The exact opposite is true with the Grepad.com family of attacks. In these cases, the filters suppress the compromise so that search spiders don't see the embedded iframe. If the link is accessed directly (or via a link from a non-search engine), then the iframe will be rendered. However, the attackers also drop a cookie when visitors hit a compromised page and suppress the iframe on subsequent visits.

Filtering is also being done by IP address ranges, operating system, and user_agent to determine when the embedded iframe (or pharma redirect) will occur.

The Million Dollar Question: How?

The why is easy to answer: attackers want to make money. The how is a bit more cloudy.

It appears the attacker is able to read wp-config.php which by necessity contains plaintext credentials for the WordPress database. Normally, wp-config.php should not be externally readable, unless the user has not properly configured file permissions. In any event, once initial access was gained, the attackers inserted or modified entries in the wp-option table for the active WordPress database. In subsequent phases (in the case of the Grepad family), the attackers modified php.ini / .htaccess, uploading malicious scripts which then embed the iframe.

At this point, the attackers have the ability to plant PHP backdoors on the compromised sites, a precedent first set by Gumblar. The presence of the backdoor would allow continued access to the compromised sites, even after file permissions were properly configured or FTP credentials had been changed. And if proper segregation is not done, bleed over to other sites on the same hosted share can still occur.

It's worth noting that the U.S. Bureau of Engraving and Printing (bep.gov and moneyfactory.gov) were compromised in the most recent wave of the Grepad.com attacks. While neither of these sites appear to have been using WordPress, both were hosted by Network Solutions and appear to have been published with Network Solutions Website Builder.

• Adobe Reader and Acrobat util.printf stack-based buffer overflow (CVE-2008-2992)
• Adobe Reader and Acrobat getIcon stack-based buffer overflow (CVE-2009-0927)
• Office OCX OpenWebFile    (BID-33243)
• Symantec AppStream LaunchObj ActiveX control (CVE-2008-4388)
• Hummingbird PerformUpdateAsync    (CVE-2008-4728)
• Peachtree ExecutePreferredApplication (CVE-2008-4699)
• C6 Messenger propDownloadUrl (CVE-2008-2551)
• Internet Explorer memory corruption (MS09-002)

The malware host, ginopost.com, was registered on April 25th, using the same IP address (188.124.16.104) as a series of malware hosts that have been engaged in attacks on Network Solutions hosted WordPress blogs. Previous malware domains using that IP have included bigcorpads.com, binglbalts.com, corpadsinc.com, hugeadsorg.com, mainnetsoll.com  and networkads.net.

Attacks on WordPress-published websites have not been restricted to those hosted by Network Solutions. A separate ongoing series of attacks have also been targeted against WordPress-published sites hosted by GoDaddy.