logical.order.of.chaos

This article claims that most of malware (spyware and such) comes from a very few Web Hosting providers.  The top four being:

Number of infected sites:

• iPowerWeb                     11,000
• Layered Technologies  2500
• ThePlanet.com               2000
• Internap                          1400

The report puts China far behind with their top ranked malware hosting provider being at 800.  This part of the study is somewhat surprising.  I think most people in the industry would guess that most of the malware and spam problems are coming from China.

I’m glad to see that the report does surmise that a lot of these sites are ordinary websites that have been hacked.  It is actually easier than one would think to hack a websites.  It is more difficult to hack an entire server with the way sites are set up now.   But you could certainly find the known holes and hack them on a random site.

There are a few reasons sites are easier to hack than servers.  Websites tend to use code written by third parties.  Not only is this code more available to hackers, to find vulnerabilities, but they are generally not well maintained.  A lot of webmasters set up their site and once finished move on to new pursuits.  A very large number of sites are never updated, or brought current with patches.  This leads to cross-site scripting attacks, and general hacking and spam. 

Here is a quick example to bring the point home.  An amateur webmaster (”My cousin builds websites, I will have him set one up for you”) gets asked to set up a new website for some organization or business.  The business owner would like a simple form and a bulletin board.  The webmaster (I should say this can happen to anyone, it is not just the amateurs) downloads code that is in the Open Source community.  He downloads FormThing 1.0 and BulletinBoardThing 1.0.  The webmaster then figures out how to get the server set up with these forms and bulletin boards.  He gets it configured to look and work the way the customer wants and then launches the site.  Very little time is ever given to security, and usually assumed to be good since it was Open Source code.

After the site launches, the writers of FormThing and BulletinBoardThing post updates to fix major flaws in the code.  In order to be secure you must be running FormThing version 2.0 or higher, and BBThing 2.0 or higher which have code fixes installed.   A few years pass, and the Internet is rife with hackers making money on spam botnets.  They need ways to infect a large number of people with new malware so they can sell more spam.  The hackers put a quick search in Google for versions of FormThing 1.0 and BBThing 2.0.  Meanwhile, the organization has been using this site for years with no problems.  The webmaster who set it up has long since gotten a new career and is no longer available to work on the site. 

The hackers have found two very useful pieces of property. The form can now very easily be hijacked to start sending out mass amounts of spam.  In fact all they have to do is write a simple loop that connects to the form and sends the spam through the form.  When the code was originally written, no one was thinking about security.  There are no checks to ensure that data that is given to the form is valid.  So codes like \r\n are passed directly to the SendMail program and this allows Blind Carbon Copies to be written after ambiguous text.  The \r\n is the Unix code for Carriage Return & Line Feed.  This rewrites the Internet header part of an email and allows the spammer to send to multiple people who were not originally intended as recipients in the code.  Basically, all it does is allow the hacker to write his email addresses into the email and send spam to many people.

 The Bulletin Board code can also be hacked to allow scripts to infect browsers that view the hacked pages.  Due to vulnerabilities in browser software, a hacker can put specially formed code into the page and run code on the viewers machine.  They are able to get into the bulletin board and post hundreds of fake entries by using a SQL injection attack that is allowed by the vulnerabilities in the bulletin board code.  Since again there is no bounds checking a hacker can simply login using specially formed code.  Most login code used to be written such that it allows the end user to put his login info directly into a query.  It would not be difficult for anyone with SQL knowledge to change the sql statement to be true in all instances.  There are some technical tricks that need to be done in most cases.  But the attack is not far from being simply changing the login to anything, and the password to 1=1.  Since 1 ALWAYS equals 1 in our world, it is true.  You then are logged in and have full access.  It is really very simple in many cases. 

 The scripts that they use once they have this access vary.  It depends greatly on what vulnerabilities are still widely available to them.  You can see though how easy it would be to turn a random high traffic site into a spam generating machine.

This is a brief introduction to how malware is getting on so many computers.   I tried to make it as non-technical as a technical person can.  Sometimes it is difficult to write things in a non-technical way when you are in the industry.  The main reason is you feel your colleagues breathing down your neck correcting you at each turn.  But hopefully this will satisfy both types of readers…

Filed under: Spam, Open Source, Web, News, Security