Malware Distribution Point Detection – a Case Study
The attack began with an email that appeared to come from a trusted sender. The body of the email consisted of a single line of text, namely a link to a particular website. A quick URL scan on VirusTotal revealed that the link had not yet been identified as malicious. The URL did not resemble a popular website or use an extremely long domain name, which are common characteristics of URLS tied to online scams, in order to deceive end-users. What was strange was the fact that the landing page of the URL was buried deep within the website’s directories (see figure 1). This was viewed in one of two ways. First, this was a malicious website designed to look benign. Second, this was truly a benign website that was compromised in order to act as a malware distribution point. After weighing the pros and cons of each, the latter seemed the more likely scenario. More analysis, however, was required to prove this.
Figure 1: Malicious web pages buried deep within the root directories
The landing page was assessed to learn what happens when users reach it. The page consisted of a “You are here because one of your friends have invited you” message followed by URL redirect command that pushed users to another, totally different website (see figure 2). In addition, the text on the landing page had nothing to do with the actual content of the website on which it was found, which raised an additional red flag. To negate the possibility of this being coincidental, the directory in which the landing page was buried was copied offline and its contents also analyzed.
Figure 2: URL redirection to the malicious web page
It became quickly apparent that the web pages within the directory abnormally shared the same file names and dates of creation, and comprised of the same short “You received this because…” message and URL redirect. The websites to which users were redirected, totaling about 20, also shared similar domain names.
The captured URLS were then tested on a virtual machine in order to determine their true intent, which quickly became clear. Scammers compromised legitimate websites and implanted malicious scripts to lure unsuspecting victims to spam pages that sold a variety of products. These pages likely also installed the URL redirect script to create a repetitive cycle of infected computers – a botnet. Exactly how did the websites get compromised and why did the URL scanners fail at flagging them as such?
Unsurprisingly, the compromised websites were common template/framework-based blogs or homepages. The search engines are stuffed with ‘how to” guides intended to help the least tech-savvy individuals launch their own platform from which to sell goods or services. This in itself is a double-edged sword in that while technology allows more people to have an Internet presence, the tools provided to these individuals have been designed for convenience and not security. A cursory inspection of the compromised websites showed that they were running outdated frameworks (WordPress), left administrative screens accessible to the public or the systems were not properly configured. Even more troubling is the fact that inadequately secured websites can be exploited in an automated fashion. The nature of the files that contained the malicious links certainly demonstrated this behavior.
To understand why URL scanners failed at detecting these malicious web pages, zveloLABS considered how they took advantage of fundamental Internet protocols. By checking domain records, it was discovered that multiple IP Addresses from around the world (Russia, US, Lithuania, UK and others) were assigned to these malicious web pages. After observing them over the course of 8 hours, it was noticed that they changed constantly (See Figure 3). This was a textbook case of a fast flux network (FFN). An FFN is a group of compromised computers that scam artists use to serve malicious content to victims or to redirect users to other malicious sites. They function by constantly changing the IP address that the domain name resolves to in an effort to elude detection. In this case study, zveloLABS saw domains with at most 17 unique IP addresses associated with them. The only other case where this would not be considered malicious is when a similar approach is used by Content Distribution Networks (CDNs) in order to perform load balancing.
Figure 3: Live fast-flux network showing numerous IP addresses at play
Upon completion of this investigation, zveloLABS rightfully notified the owners of the compromised websites and their hosting companies. The Internet community should continue to expect these types of web threats to increase. While zvelo will continue to enhance its automated malicious website detection technologies for the benefit of its OEM Partners and their customers and end-users, there are a few best practices common folks and IT professionals can abide by to reduce a website’s susceptibility to becoming compromised.
- Keep workstations updated regularly – malicious software often takes advantage of unpatched systems. Updating your system reduces the risk of compromise.
- Unsolicited emails from known associates should be treated carefully – faking an email is trivial and not unheard of, as is automated malware that sends disguised unsolicited email.
- Inspect the URL of a link before clicking on it – look for weird spellings, unusually long website names and web pages buried deep within a site’s directories.
For IT Administrators:
- Ensure your applications are updated regularly – as with end-users, keeping IT systems up-to-date is the best deterrent for opportunistic attacks.
- Do not expose administrative interfaces to the public – there is no reason why any IT professional should expose administrative interfaces to the general public. Ensure that interfaces are difficult to find.
- Only use frameworks you are comfortable with – as tempting as it might be to experiment with new technologies, like an instant blogging solution for a corporate website or a shopping cart, lack of familiarity with these applications may lead to inadvertent vulnerabilities. Take time to read and study products that will be used before implementation.