Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Busy day in TrendLabs today, first the full analysis of and news on ZeuS and SALITY, which are exploiting the Windows shortcut vulnerability. Now we’ve identified a ton of compromised websites leading to an “online pharmacy.”

    We’re currently seeing a wave of fake pharma spam that do not directly advertise the URL of the fake pharma site. Instead, the spammed messages advertise URLs that point to HTML pages hosted on compromised sites.

    Obfuscation Layer for Spam

    These HTML pages are uploaded to the Web root of the compromised sites while the HTML redirectors provide an obfuscation layer to hide the final landing page, in this case, the real fake pharma site—the infamous “Canadian Pharmacy” or “Pharmacy Express.”

    These HTML pages are very simple redirectors. From what I’ve seen so far, they either use a meta refresh or a JavaScript redirect.

    We’re seeing a daily average of around 1,000 new compromised sites caught by our spam traps. Some of these sites were repeatedly compromised, as indicated by several HTML redirectors uploaded in their Web roots.

    Click for larger view

    Click for larger view

    In most cases, two files are uploaded to the compromised sites—the HTML redirector and a .JPEG file. The .JPEG file bears the same file name as the .HTML file and is used as the display image in the spam, as shown in Figure 4 above.

    The Underlying Compromise

    The compromised sites’ Web platforms vary; some don’t even use any CMS, only plain .HTML files. There is also no commonality between the Web platforms the compromised sites use, ruling out the possibility that these were compromised via Web application exploits.

    Logic tells us that the easiest way to compromise a lot of these sites is through stealing FTP credentials. After all, stolen FTP accounts are widely being traded in underground markets. An enterprising buyer can get get as many as 300,000 FTP accounts for only 250 WMZ (WMZ or Web money currency where 1 wmz = US$1). Tools to do mass file uploads given a list of FTP credentials are also readily available.

    Researchers from another security firm already tracked the spam sample above and confirmed that it is a product of the prominent Rustock spam bot. This suggests that the operators behind this mass Web compromise and the operators of the Rustock spam botnet have very close ties, if not one and the same.

    Recommendations for Web Masters

    Most websites nowadays are managed by fancy CMS software with user-friendly administrative interfaces. This makes managing websites very easy. The downside is that Web masters may not notice small .HTML files that are uploaded to their sites. To address this, Web masters are advised to do the following:

    1. Regularly check the Web root for any dropped .HTML files. The file names of these .HTML files follow some conventions (like ovary40.html, slouch77.html, island57.html, e.html, and b.html). Sometimes, however, the file names are just random (like yfogewef.html, esyqaso.html, and oxbm.html).
    2. Delete such files if found.
    3. Change FTP passwords after cleaning up the site to prevent reinfection. Remember to use a strong password.

    If a malware infection—a keylogger, more specifically—is suspected, users are advised to revert to the last known clean backup, to change FTP passwords, and to install an integrity-checking tool such as OSSEC or Deep Security to help protect the site. Lastly, and most importantly, users are advised to keep their security software up-to-date and running to ensure that they’re protected from the latest threats.

    Additional text by Martin Roesler (Director for Threat Research)

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice