It’s always interesting to watch how malware attacks evolve over time.
Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.
As always, it began when I started to notice a new pattern in domains of hidden iframes in Unmask Parasites reports.
When I checked the HTML code of affected web pages, everything looked exactly like in previous incarnations of this attack, except for 3rd-level .org, .com and .net domains.
Soon, I realized that all those domains were registered with free dynamic DNS hosting providers: DynDNS.com and No-IP.com. These sites allow anyone to register any third-level domain for free and point it to any static or dynamic IP-address. This service is mainly used to assign a meaningful human-readable address to a home computer instead so that people from outside could easily access it (e.g. home website, game server or web camera) by name rather than by hard-to-remember IP-address (that may change).
These services provide a variety of second-level domains that can be used to construct free third-level domains. I.e. at DynDNS you can register my3rdleveldomain.dyndns.org, or my3rdleveldomain.blogdns.org, or my3rdleveldomain.homeunix.org, or choose any other second-level domain from a list of 88 available domains. At No-IP.com they provide a choice of 21 base domains (e.g. no-ip.org, redirectme.net, servecounterstrike.com, zapto.org, etc.).
For this attack, hackers registered many third-level domains (at this moment I have a list of 140+ such domains) that point to web servers that host malicious content.
Update: I’ve sent my lists to both DynDNS and NO-IP. Thanks to prompt reaction of Chris Widner (DynDNS) 100+ malicious domains from my list and a lot more that I didn’t know of no longer resolve. I hope NO-IP reaction will follow.
Update 2 (Sept 12, 2009): NO-IP has also blocked malicious domains shortly after I had posted the previous update.
However since hackers add new domain names every hour, 100+ new hostnames need to be blocked. I’ve sent a few updates to both services, but they haven’t yet responded and I guess we’ll need to wait until Monday when they get back to work.
Using free third-level domain instead of real second-level domains (after all they are all disposable and used for a few days only) is not the only innovation. Another serious innovation is where all those domains point to.
Previously, all their domains pointed to the same servers. The IP addresses of the servers changed over time but all malicious domains were configured to point to the same set of 5 IPs (each domain has 5 A recods).
When I checked the IPs, I discovered that all of them are dedicated (or virtual dedicated) servers that host legitimate web sites. They serve legitimate content from port 80 and malicious from port 8080. It looks like all those servers have been hacked and server admins are unaware that hackers managed to setup a webserver on port 8080 that serves malicious content. If your are an admin of a Linux server, it’s time to check if have an unauthorized web server working on port 8080.
On all hacked servers, the web server that works on port 8080 identifies itself as nginx while the legitimate web servers on port 80 are different versions of Apache. If it’s really nginx (why not? it’s a lightweight webserver), hackers should be able download source files, compile and install nginx – something that requires shell access with root privileges.
Moreover, each server works as a load balancer for other malicious servers used in this attack. When you try to load any iframe URL, you get redirected to a random server (again third-level domain and port 8080) from a list of other 10 currently active servers. This list gets updated every hours on all servers.
What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer (the malware they serve infects computers and turns them into zombies).
Who knows what else can those infected web server do? They may be involved in SPAM distribution, in DDOS attacks, etc. They can do just everything normal zombie computers do, but more effectively thanks to better Internet connection.
However, having a web server as a zombie has obvious downsides for hackers. Once the IP of the server is known, it’s only a matter of time to shut it down – they are all on networks of reputable hosting providers that can switch off the server if its admin fail to remove the malicious service. On the other hand, server admins are usually much more experienced in terms of security than an average computer user, so the chances that a dedicated server gets hacked are significantly less than the chances that a home computer gets infected with some virus. At the same time, the number of dedicated servers, I believe, is also significantly less than the number of home computers connected to the Internet.
So, if hackers want this attack to be active for more than just a week, they need to either have a “portfolio” of thousands of already hacked servers waiting for their turn, or they know about some exploitable vulnerability in Linux (all servers I checked were Linux-based) so that they can easily turn any number of servers into zombies. So if this is not just a proof-of-concept attack that will cease to exist in a week, there is a real problem that server admins must address ASAP!
It just occurred to me that hackers may simple have root passwords from those hacked servers. After all this iframe attack uses stolen FTP passwords to inject hidden iframes into legitimate web sites. So the chances are local computers of the server administrators were infected with spyware that steals FTP credentials, and the admins were dumb enough to use the root account for (S)FTP operations and even dumber to store their root passwords in FTP program settings. Having a database of thousands of stolen FTP credentials, hackers just need to search for entries with username “root“. And if the law of big numbers works, they should be able to find quite a few root credentials.
If you are a hosting provider that offers dedicated or virtual dedicated servers, you might want to contact me to find out if any of your servers is on my list of compromised hosts (some IPs belong to major players like Soflayer, ThePlanet, Dreamhost, Lunar Pages, Rackspace, Media Temple, 1&1 Internet, etc.) It would be great if we can find out what happened to those servers.
Update (Sept 12, 2009): I’ve sent my list of IPs to StopBadware.org and they promised to notify hosting providers.
I’ve only started to investigate this attack and this article is based on the scarce information I managed to retrieve from the URLs of malicious iframes. This is not enough to have the whole picture. I hope administrators of compromised servers can share their findings.
If you know any additional information about the attack, or think that my assumptions are flawed, please post your comments here.