chill's Journal: pwned

Three hours ago a friend of mine called saying he thought his website had been hacked. He wanted me to look at it and see what I could figure out.

Yes, he'd been hacked. Bad. Full-on Chinese ass-raped. Not only that, but it seems his two desktop machines had been infected with a virus. I know he had been working on cleaning them up last weekend, but wasn't sure what happened.

Based off of what I found, here is what happened.

Last weekend his system was infected with a virus. I'm not sure where the original vector was, but it was fairly invasive. I know it was playing around with the Windows Installer engine. He is running WinXP SP3. He used SuperAntiSpyware to remove it, and it seems like it did a good job.

In the mean time, he was updating a website or two. The best I can determine is when he opened up CuteFTP the virus read all the usernames, passwords and IP addresses from memory. Shortly thereafter his main website was compromised with the Gumblar.cn exploit. Then, within a couple hours, EVERY site he had access to was infected. That is about 50 domains, by the way.

The hijack connects back to a website in China and feeds the username/password/IP information. From there, a script logs in and injects malicious javascript and hidden iFrames into every .htm, .html, .php and .js file.

The first pass, back on May 3rd, infected only index.htm, index.html and index.php files. Starting a day later, it hit EVERY .htm, .html, .php and .js on his sites. It looks like it updates once a day, in batch fashion. That is, every file on the site -- hundreds -- update within a minute or two of each other.

Fortunately we had clean backups of everything, so it is all being restored. And the majority of those sites are really just parked domains. More of a "Hey, I have an idea. Let me register a domain." sites. There are half-a-dozen, however, that are NOT. He gets the unenviable task of notifying everyone tomorrow about possible viruses.

From what I read, the initial vector comes in from an infected .PDF or .SWF file. Oh, what a foolish mistake it was to mix data and code. That little devil will haunt people for eternity. Data is data and code is code and never the twain should mix. Oh, well. Too late now.

If I'm correct in my assessment, protections like using SFTP instead of FTP and strong passwords would have made no difference. The stuff was read from memory, not sniffed or brute-forced.

I decoded the obfuscated Javascript to see what it was trying to do, and noticed it was making sure the machine in question was running Windows NT6 (XP or later). If not, the script doesn't continue.

The obfuscation was just random variable names, mixed with a random encoded string. Change the "eval()" to "document.write()" and a few other minor tweaks and it just decodes and prints to the screen instead of running.

Te master domain in China is blocked by Google's bad-site warning as well as Firefox's blacklist. I didn't check versions of IE, but I guess not because that was how my friend got infected. He was showing someone the difference between Firefox and IE. :-)

Anyway, we're off to change all 50+ passwords. What a fun way to spend a Friday evening.

I had similar problem

[f1vlad]

In my case it was CuteFTP as well. And only _some_ of my websites were affected. What this did was it added a piece of code at the bottom of each index file. Like index.php/html/pl, etc. What that did was open an external website in hidden iframe, and it tried to run .exe file from remote location (.cn domain)

Re:

[chill]

This one hit every site that was hosted on Hostmonster.com, but not the ones hosted elsewhere.

It inserted some hidden iframes that pulled crap from a server in China. Sometimes it inserted the javascript function I mentioned. Whatever did it basically walked the entire FTP tree, even infecting the old Webalizer stats pages buried in a tmp folder.

The iframes were either right below the body tag, or just above the closing body tag.

Very annoying.

Re:

[f1vlad]

In my case iframes were added after /body tag. And also the whole thing was inside script tags encrypted. So you couldn't really visually read what it was meant to do at first. But yeah it was annoying as hell, I had to restore many files by hand :(

Re:

[chill]

Yeah, I modified the encrypted script to decrypt itself and print out instead of executing. It basically checks for what browser, and if your machine reports "NT" and "version 6". If so, it pulls a file from a server in China. I think that file is a virus.

My friend said his machine popped up a box a "Now downloading updates for Office 2003" dialog box when he yanked the plug. Other reports have it pulling an infected PDF or infected Flash file. I'm going to dig deeper this weekend and intentionally inf

passwords from memory?

[lotzmana]

Very interesting report!

From your story one thing is very intriguing: You mention that it acquired all the passwords from memory once CuteFTP was started, what lead you to believe that?

In light of your missfortunate experience, is there any practice one might adhere to in the future to possibly avoid such attacks?

More interestingly, how can one create a program which would scan memory for passwords? What patterns would such scan look for?

Re:

[chill]

That was just a guess. CuteFTP is the only place he has all the passwords stored. Several of the hacked sites have not been accessed via FTP for months prior to the hack. Their passwords and IP/URLs were different from the main site. The only thing I can think of is something that targets CuteFTP and other popular FTP software, either by scanning memory or config locations. I'm tempted to test my theory by setting up a VM and intentionally infecting it.

I'm not really set up for deep investigation to th