My next class:

Are there any websites that are NOT compromised?

Published: 2013-05-08. Last Updated: 2013-05-08 01:16:07 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Today was yet another day with lots of compromised websites, some notable others less.

This morning, a reader wrote in to notify us that the county government website of a county in Georgia was compromised. Sure enough, it appeared to serve malicious javascript, launching the usual exploit kit Java exploit (zeroaccess was the readers guess, and I think he was right). With smaller sites/organizations like this, I usually try to give them a call, and in this case, was pretty quickly sent to a person who was responsible for the web site content. Sadly, I don't think this person had any basic understanding of exploit kits or web applications to understand most of what I tried to explain, but she knew someone to contact. As of right now, the web site *appears* to be "clean". Which gets me to the next point, some of the difficulties one encounters in notifying sites:

- Frequently, like in this case, the exploit only shows up on some pages, and not all the time. Sometimes you need to visit with a specific browser, sometimes it is random, or in other cases, the miscreant appears to filter out requests from "administrators" showing them the unaltered site

- It is very hard to NOT get people to go to the URL right away as you talk about it being dangerous. It was relatively early in the morning, and I forgot my usual introduction not to go the site, so sure enough, as I explain which page I noticed as "infected", the person at the phone responded "but it look normal"...

- In particular for small sites like this, the standard blocklists don't work. Virus Totals URL Scanner showed the site as "safe" . Kaspersky Anti Virus on one of my Mac's flagged the javascript with a generic exploit signature and prevented access.

FWIW: My guess is that the site was infected via the Wordpress plugin "Super Cache" which was installed on the site. This plugin had some recent vulnerabilities.

The other compromisse, that created a larger news response, was the compromise of wtop. com and federalnewsradio. com. Both sides are related to each other, so I consider them one compromise. The interesting response in this case was that the site blocked access from users running Internet Explorer, but let others in to the site. I didn't see any exploit code when I retrieved the site, but I am not sure if it is safe to assume that an exploit is only going to attack one particular browsers, the miscreant appears to filter out requests from "administrators" showing them the unaltered site.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
8 comment(s)
My next class:

Comments

The human factor is one of the biggest vulnerabilities for information security in general. A well trained user can be a security ally while a user that is unaware of risks can be your biggest vulnerability. This is true for systems administrators as well. In my experience I have found that smaller companies and local/state government IT departments rarely have the resources to fully fund a web administrator that is also well versed in security. Usually, an IT generalist (desktop support/server admin/email admin) with very little web/security knowledge will be tasked with initially deploying and supporting the website. This in turn leads to a website that isn't properly maintained, patched, or secured. The human factor is probably the weakest link in the chain when it comes to website security.

To answer your question, I think (but I can't be certain) that isc.sans.edu isn't compromised and currently safe to browse...
see also:
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/

http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c

http://heise.de/-1859414 (german page of http://www.h-online.com/)
I'm quite impressed by the radio stations' reaction. Not only did they post a prominent announcement regarding the compromise to both websites, they went so far as to disable access to those sites for visitors using IE. Trying to visit in IE gets a brief, informative message explaining to the visitor that they should run a malware scan, and providing links to download safer alternative browsers.

If only more entities would react to compromise this way! Kudos to WTOP and whoever may have assisted them in fixing their problem and crafting the public announcement.
I'm really getting disgusted by the WP community's refusal to talk openly about security problems.

WP SuperCache & Total Cache both have had recent vulnerabilities, which apparently have been fixed, but there appears to be no obvious mention of the problems or fixes on their sites.

Without warning users, who's going to upgrade?
@BJ - excellent point. I would guess that as this industry matures, IT/software firms will be legally required to expose security issues/bugs just like the auto industry does today. In my opinion, the entire IT/software industry is still in its childhood stage and far from mature. It's no longer an infant (think IBM XT 8080 with a 4-color CGA monitor to AOL days) but we're far from adults.

It's just a matter of time before the IT industry (software and security included) is regulated to the same extent that other industries are (energy, manufacturing). We are still in the wild west days... and WP's nonexistent communication on security issues is a perfect example of that.
Let me clarify, we do have some regulation in the form of FISMA, SOX, NERC-CIP, etc. However, these compliance guidelines/regulations are strictly imposed on the end user/customer/organization and have no leverage/authority over firms that produce IT/software... it's like imposing regulations on homeowners instead of the home-builders... or on drivers instead of on the car industry. Imagine if consumers were responsible for installing airbags and anti-lock brakes in their own cars to be compliant with safety standards while car manufacturers continued to produce cars without them? That's the situation we have in the IT/software industry.
I worked incident response for a site affected by the WTOP / federalnewsradio attack, and I wrote up analysis of the server-side malware here:

http://www.osirt.com/2013/05/media-site-mass-hack-malware-analysis/
If a legitimate website that displays advertisements from outside servers compromised if the outside server is? I have seen this several times over the past few years and web filtering is often ineffective because of it.

Diary Archives