Busy day in TrendLabs today, first the full analysis of and news on ZeuS and SALITY, which are exploiting the Windows shortcut vulnerability. Now we’ve identified a ton of compromised websites leading to an “online pharmacy.”
We’re currently seeing a wave of fake pharma spam that do not directly advertise the URL of the fake pharma site. Instead, the spammed messages advertise URLs that point to HTML pages hosted on compromised sites.
Obfuscation Layer for Spam
These HTML pages are uploaded to the Web root of the compromised sites while the HTML redirectors provide an obfuscation layer to hide the final landing page, in this case, the real fake pharma site—the infamous “Canadian Pharmacy” or “Pharmacy Express.”
We’re seeing a daily average of around 1,000 new compromised sites caught by our spam traps. Some of these sites were repeatedly compromised, as indicated by several HTML redirectors uploaded in their Web roots.
In most cases, two files are uploaded to the compromised sites—the HTML redirector and a .JPEG file. The .JPEG file bears the same file name as the .HTML file and is used as the display image in the spam, as shown in Figure 4 above.
The Underlying Compromise
The compromised sites’ Web platforms vary; some don’t even use any CMS, only plain .HTML files. There is also no commonality between the Web platforms the compromised sites use, ruling out the possibility that these were compromised via Web application exploits.
Logic tells us that the easiest way to compromise a lot of these sites is through stealing FTP credentials. After all, stolen FTP accounts are widely being traded in underground markets. An enterprising buyer can get get as many as 300,000 FTP accounts for only 250 WMZ (WMZ or Web money currency where 1 wmz = US$1). Tools to do mass file uploads given a list of FTP credentials are also readily available.
Researchers from another security firm already tracked the spam sample above and confirmed that it is a product of the prominent Rustock spam bot. This suggests that the operators behind this mass Web compromise and the operators of the Rustock spam botnet have very close ties, if not one and the same.
Recommendations for Web Masters
Most websites nowadays are managed by fancy CMS software with user-friendly administrative interfaces. This makes managing websites very easy. The downside is that Web masters may not notice small .HTML files that are uploaded to their sites. To address this, Web masters are advised to do the following:
- Regularly check the Web root for any dropped .HTML files. The file names of these .HTML files follow some conventions (like ovary40.html, slouch77.html, island57.html, e.html, and b.html). Sometimes, however, the file names are just random (like yfogewef.html, esyqaso.html, and oxbm.html).
- Delete such files if found.
- Change FTP passwords after cleaning up the site to prevent reinfection. Remember to use a strong password.
If a malware infection—a keylogger, more specifically—is suspected, users are advised to revert to the last known clean backup, to change FTP passwords, and to install an integrity-checking tool such as OSSEC or Deep Security to help protect the site. Lastly, and most importantly, users are advised to keep their security software up-to-date and running to ensure that they’re protected from the latest threats.
Additional text by Martin Roesler (Director for Threat Research)