Each day, when we review our spam feeds, we see links to hundreds of hacked or compromised websites that are used to serve as hosts for spam content, such as images, redirect scripts or malicious IFrames. Often these websites have had code appended to the end of each file or have had new HTML or PHP files uploaded to them. For example, here is a spam email sent by the Pushdo botnet. Three of the four links in this email lead to the same compromised website.
Below are two common examples of files that have been uploaded to compromised websites. The first redirects the browser to a ‘World software’ affiliate site, the second redirects to a Canadian Pharmacy website.
Obviously, attackers do not infect hundreds of web pages by hand, they use a script or a botnet to do the work for them. Some examples of this are Asprox and Gumblar, which are known for doing mass web site infections, Asprox via SQL injection and Gumblar by using stolen FTP credentials.
One other such bot is known as GootKit. We came across this bot when in was installed on one of our test machines by a malicious downloader, along with a host of other malware. Most of Gootkit’s functions are implemented in scripts that are downloaded as tasks from a control server.
The first request Gootkit makes to its control server is for the file ‘bootstrap’. As its name suggests, this script contains some basic functions that allow it to request and download new tasks from the control server and execute them.
The bootstrap script downloads and processes an XML file named 'xml'. This contains a list of ‘tasks’, each with a corresponding script file that needs to be download and executed.
The first task here is implemented in the script ‘iframe2.script’ which the bootstrap script downloads and runs.
This, as the script above says, is the script that inserts IFrames into web pages. This component routinely requests a new set of FTP credentials from a control server.
Once logged into an FTP site, the IFramer component searches for any web page related files, such as those ending in .html and .php and inserts IFrame code obtained from another request to a control server.
We are unsure exactly how the control server obtained all of the FTP credentials, but most often these are stolen via keyloggers and information stealing malware installed on a website administrators PC.
Gootkit is another example that highlights the highly automated systems that attackers are using to infect web pages en masse. These systems are underpinned and driven by botnets, which give the scalability and anonymity that the cybercriminals desire.
