You are sure your website isn't infected, aren't you?
Posted by: Marco Giuliani
We have talked some time ago about Mpack and how thousands of italian websites got compromised using an unknown infection vector. This case wasn’t the first case in Italy – at least two other companies were attacked by malicious code injection.
Many users have believed that they are safe as long as they surf only on well-known, trusted web pages – this is no longer the case. We have seen well-known websites compromised, for example, the websites of a famous Italian singer and a popular anti-rootkit knowledge base website antirootkit.com
A common characteristic in these infections is that the injected code always redirects to a website that will attempt to exploit the user’s computer, attempting to ‘brute force’ an infection by trying dozens of exploits to get the system infected.
These attackers are also creating numerous fake web pages that are well indexed in search engines so that they appear at the top of almost every user search. Then, from the fake web page, the browser is redirected to one of the exploiting websites. This technique is the main way that the groups that created the Gromozon rootkit and Rootkit.DialCall, two popular Italian rootkits, helped to spread the infections.
For a while, Rootkit.DialCall was hard to remove as it dropped the Rustock rootkit and caused a great deal of spam which affected the entire Italian internet connection. We are able to identify Rootkit.DialCall’s dropping websites as the IP ranges where it is located are always the same. Now we've had reports of compromised websites pointing to IP ranges related to Rootkit.DialCall. One key defense to prevent being attacked by these infections is to ensure you always have the newest Windows and installed software updates.
The website of the well known Italian singer, Carmen Consoli, got compromised when an inline frame pointer to another IP was maliciously added into her website:
After the user is exploited, a randomly named executable is dropped onto the system. After this malware is executed, a copy is made inside the Windows directory. This malware is dropped to ?:\Windows\svchost.exe, NOT ?:\Windows\SYSTEM32\svchost.exe which is the legitimate Microsoft file. Another file is dropped into the Windows directory – svchost.dll – which has usermode rootkit features. Its code is injected into other system processes so that the svchost.exe process and some registry keys are hidden.
The hooks are done through inline hooking by patching the beginning bytes of the functions inside the memory of ntdll.dll. The hooked functions are ZwQuerySystemInformation, ZwEnumerateKey, ZwEnumerateValueKey.
Svchost.exe connects to the same IP used by the inline frame and download an encrypted file which appears to be a text file, but it contains encrypted data inside it. After decoding it, we found that it contains links to other malicious components of the malware that allow the infection to easily update itself and add new features.
Pa_0111.exe is a dialer for Italian modems - it tries to calls a high-price number with an 899 prefix. If the dialer finds a 56k modem installed, it creates a connection called Service. If the connection attempt fails, a message box may appear. Otherwise, it opens an Italian webpage about sex where people are invited to call an 899 number to get membership access in the website.
Spoolsv32.exe was used some months ago to install the Rustock rootkit component but sometimes it installs an adware component as a BHO (Browser Helper Object). The adware component is installed under:
HKEY_CURRENT_USER\clsid\{58fb2cbb-c874-45fc-a1c9-b62cc9e3bed9}
All components of this infection are detected and removed by Prevx 2.0. This kind of attack has been affecting Italian people and it is changing frequently. Our research lab has registered many variants of this infection using different names starting from initial dropper until last dialer.
We contacted the owners of the website that was modified and at the time of writing this article, yet, the inline frame is still present. Being that an infected website is that of a famous Italian singer and looking at how many people in Italy still surf the web without using the right protection and without updated software (moreover, without a broadband connection), this infection may cause substantial monetary damage to the Italian people.
Hackers used to attack websites just to show that it is possible by defacing websites. Now, attackers are creating real danger for surfers by injecting viruses into seemingly legitimate websites
Italy has been attacked many times already in just the first half of the year – two large hosting providers were attacked, allowing literally thousands of websites to be modified. Security is not to be taken lightly and whether you are the owner of a hosting company or of a simple website, if you don’t secure your servers you put everyone at risk who believes that they can trust websites they have always visited without getting infected.
You are sure your website isn't infected, aren't you?
