In January 2008, tens of web servers have been hacked by the same exploit. These web servers were all using Apache. The infected web servers added a discreet call to to java script to the main page of the hosted sites. Once executed by the visiting browser, the java script checked vulnerabilities to load some malware onto the visiting hosts. The final goals of the installed malware was to load a binary to create botnets. The infected sites were very different ranging from hospitality promotion to sales of automotive replacement parts and even one security dedicated site.
The attack was extremely sophisticated. The attacker used ptrace to inject code in the memory of the Apache server. Thus, there was no modification of the files on the server! The name of the java script was changed randomly for each new visit. If the same IP address visited a second time the site, the java script was not appended to the downloaded page. The java script itself was obfuscated. The final binary that is loaded is extremely wise. It is highly visible with a reassuring name (regscan.exe). It modifies Internet Explorer to bypass potential firewalls.
The aim of this attack was clearly financial. Access to an infected computer for a botnet can be negotiated around 1$. These zombies are extremely useful to run spam or adwares. Interestingly, two weeks after the detection of the attacks, the attacker cleaned the servers he/she infected. The attacker was looking for discretion and not for the sunlights of the media.
This attack shows that hacking becomes an interesting business handled by extremely skilled attackers. We are far from the script kiddies or the geeks who were looking for fame. This story also highlights that you are always at risk, even if you do not visit “risky” sites. “Innocent” sites may infect your computer.
Law 4: Trust no one. Keep your computer up-to-date with all the patches. It is a tedious task, but mandatory. The java script was looking for known vulnerabilities that could have been patched.
For more information, read BUREAU M., Infection sur la toile, in MISC n°7, May/June 2008