Sophos Cloud Optix
The Blackhole exploit kit has received a lot of attention recently, and we have published several technical papers on it.
The attention is warranted – the kit remains one of the most prevalent being used by criminals to infect users with malware.
In this article I am going to take a look at some of the recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites.
JavaScript libraries on the legitimate websites are prepended with code like this:
Similarly, webpages are injected with an inline script:
Sophos products block both types of infection as Mal/Iframe-AL.
SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats!
If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites that we have seen compromised in some way over the past week.
Clearly these attacks are widespread then.
I wanted to dig a bit further into these attacks, in order to understand a bit more about how the sites are getting hacked.
Looking at data collected over the past 14 days (Feb 18th – March 4th 2013), I started off by looking at the host ISPs for the compromised web sites.
As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
(I have anonymized the ISP data intentionally – I will be following up with as many of these as possible in order to try and get the servers cleaned up.)
Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect if the attacks were agnostic to the platform.
Most of these servers are running CentOS (then Debian then Ubuntu).
This last piece of data gives us some clues as to how these attacks are happening.
Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this.
Digging around it appears that this is indeed the root cause. The folks over at Sucuri managed to get hold of the rogue module that was used on one such victim server.
Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded. Please feel free to send suspect modules to Sophos by following the regular sample submission guidelines.
Update March 20th, 2013:
As noted above, we have been working with various affected ISPs in order to get servers cleaned up. Several malicious Apache modules have surfaced, and these are confirmed to be within the Apmod family, also known as ‘Darkleech’. Samples obtained thus far have been detected as Troj/Apmod-D).
An analysis of Apmod/Darkleech can be found here (Japanese).
Will rogue modules have a consistent name, or will it change with each instance? Can you name a module that's know to have been compromised?
The module name will change.
There is some great information for server administrators in the following post, which concerned a similar, previous spate of injections. (See the 'To server administrators' section.)
http://blog.unmaskparasites.com/2012/09/10/malici…
If I wanted to block this using our Barracuda web filter, is there a way to do so? You have the IP blocked out and I doubt SEP detects this yet and the product as a whole is mostly useless IMO. I am looking for a while to block this at our Web Filter if possible.
There are many IPs being used so blocking specific ones will be pretty ineffective. I am not familiar with your web filter so do not know what capabilities it offers, but feel free to drop me an email and I will follow up with you (firstname.lastname at sophos dot com).
How did these rogue modules become loaded in the first place? Is it known?
No, at this point we do not know how the servers are getting hacked. We are in the process of following up with some of the ISPs, so hopefully will get more insight then.
What is the likelihood of the Apache source repos or build mirrors being infected?