Recently, we have seen a massive increase in malware attacks. Hackers find weak holes (vulnerability) in system or application, exploit them to gain access and ends up infecting them with malware. The attack is usually targeted for huge set of audience i.e. website legitimate users. Malware can be spread by various means, an email attachment, file download, javascript via page load, broken links, page redirects, etc.
In a recent Malware analysis activity, I noticed hacker adopting different approach to infect website. Hacker exploited weak ftp credential to gain web folder access and infected application supported files i.e. js, cs, html files instead of infecting main application pages. The malicious script executes on user’s browser, gives an unavoidable pop-up of Microsoft Essentials and then pop-up disappears after user clicks on “OK” button. This script also executed a function from within the page which silently transferred all valid sessions opened in same browser tabs to attacker’s website. Eventually, compromising user account by session hijacking. Think of less secured website which sends authentication credentials in cookie!!!
There were two interesting points in this attack:
- Attacker injected the malicious code in Base64 encoded format and referenced to decode function from within the file to make it browser understandable
- Attacker infected very few application supported files ignoring all application files to get past the malware detection
The attack was identified and notified by a legitimate user, who knew something about security, noticing that Microsoft Essential was not installed on his system.
The Steps: Root Cause Analysis
Analyzing malware requires effort, time, skill and minimal application knowledge. Below are few mandatory questions that must be asked before you conduct RCA for a website:
- How many entry points does your application have?
- Do you have system and application logs?
- Why do you suspect your website is infected?
- How do you manage your website?
After gathering these answers, you will find a direction into which you need to look for. Ask website owner for web application files, application logs, system logs and firewall logs, if exists. Next step is to adapt the approach for analysis:
- Identify and block hacker access on your server
- Backup old infected code
- Identify the activity/action of malware like installing backdoor, stealing session cookie, fake redirects, etc
- Replicate the malware attack at your end to verify the malware behavior
- Analyze every application file for malicious injected script. Code file size may give you a hint of which files are infected. In my case, every infected file code size was increased by 2 KB as compared to original file
- Remove malicious script from all infected files
- Scan your website folder with anti-virus and malware detection tool
- Audit your server with Autoruns tool - Sysinternals
- Make your cleaned application files go-live ensuring website is functioning perfectly as before. Look for every page load, image, buttons that must be in place
- Scan your website with McAfee SiteAdvisor to ensure no malware exists on the website
- Issue a best practice guideline
Hackers are always on the run with our own evolving technology. Be Aware to Be Safe.