SANS ISC: The Strange Case of Doctor Jekyll and Mr. ED

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

About a year ago, I wrote a diary here at the ISC called “Putting the ‘ED’ back in .EDU”.   Like most of the stuff I write, it caused a bit of a stir when it was published, because it pointed out that several .edu domains were riddled with compromised machines serving up link-fodder for peddlers of erectile dysfunction (ED) meds.  And, oh yeah… I named names.

All of this ruckus was caused by me using a little bit o’Google-fu, to see what big-G had to say, specifically, in response to searches like these:

site:.edu buy viagra (link)

site:.gov buy cialis (link)

It’s a hobby: some people collect coins, some people knit… I look for compromised websites. 

Being the pessimist that I am, when I re-whipped out a couple of those ol’Google-dorkin’ chestnuts the other day, I was pretty sure that I would still find some new best friends to chat with about their “site security.” (Note: If you get an unexpected phone call from me, it’s rarely what you would call “good news.”)

I wasn’t disappointed.

While it’s been a bit over a year since I that piece was published (and three years since I originally pointed out the fun that a few choice Google searches could create) there was no shortage of joy to be found in this latest go ‘round.

However, amid my ironic chucking and the pitter-patter of emails being fired off to various “webmasters,” I happened upon something that caught my interest.

It started off innocently enough: the library website of a small educational institution had been 0wned.  I followed the link from my Google search to the library site and was quickly redirected to another page hawking enough sildenafil citrate to straighten up the Leaning Tower of Pisa.  Heheheh...

Being the all-around nice guy that I am, I hit up the main web page of the school trying to find some contact information.  While poking around, I noticed a link to the Library’s site right there on the front page.

“Hmm…,” I thought to myself, “you gotta wonder how long this site’s been 0wned without anyone noticing.”  And I clicked the link.

A funny thing happened.  The library page appeared.

Obviously, something odd was going on here.  It was like a single website with two distinctly different, Jekyll and Hyde personalities...

(Somewhere, Robert Louis Stevenson is spinnin' in his grave like a top...)

Looking back and forth between my Google results and the school’s main page, I fairly quickly determined that the URL at least appeared to be the same.

Just to be sure, I clicked through the Google page again – and it took me right back to "pharma-R-us™"

Then my wife called me for dinner.

Now I don’t know how things are where you live, but in my house, when you get called for dinner, you go.  Delay means a very quiet dinner with a side-dish of disapproving looks and no dessert.

One contented family meal later, and I returned to my desk, still intrigued.

Having closed out the browser before I left (look… when you regularly search using terms like “viagra,” “cialis,” and “levitra” you find yourself getting into the habit of closing your browser when you leave… trust me), I fired up a quick Google search based on the name of the school and the word “library.”  Boom, there was the same link with the same sample chunk o’text talking about the same virtues of “cheap pharma.”

So, I clicked on the link… and landed on the Library site.

At that point, I clearly and loudly “defined” the meaning of the acronym “WTF.”

Now I’m not always the quickest bunny in the forest (example: when I heard that Apple was patching flaws in iOS I immediately thought “That’s really nice of them.  I hope Cisco says ‘thanks.’”) so I sat there scratching my…  well, let’s say “head,”… and thinking.

After a few moment's thought, an idea struck me.

Ouch.

I fired up the “Tamper Data” extension for Firefox, kicked it into “tamper” mode, and clicked on the “home” link on the Library page.

When Tamper Data offered me the opportunity to tamper with the request, I gladly accepted.  I replaced the contents of the “Referer” (this is why we can’t have nice things… nerds can’t spell) field with:

http://google.com/search?q=cialis

fired off the request, and lo! I was in erectile dysfunction heaven.

(Note: it’s like normal heaven, but the robes fit funny…)

So… what’s going on here?

While I talked to the folks at the school’s library, I wasn’t able to get code from them.  However, armed with what I had learned from finding that site, I was able to find several others, and here’s what appears to be going on:

When the Ev1L H@x0rz compromise the site, their goal is pretty simple: they want to change the content of the site itself to increase their positioning on the search engines.  The whole idea would be ruined, however, if they gave away the fact that they'd 0wned the site. So the idea is to “use” the site… not “abuse” it.

Rather than mucking around with the code for the site itself, the bad guys target the .htaccess files.  For those of you unfamiliar with the workings of webservers, .htaccess files are used by the Apache webserver (and some others…) to provide a way to make configuration changes to the server itself, on a per-directory basis.  So, for instance, you can use an .htaccess file to change the way that the webserver treats specific types of files in a single directory only.

The bad guys also leverage another Apache “tool,” known as mod_rewrite. This tool provides a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.

So, while I never actually got my hands on an altered .htaccess file, I have a pretty good idea of what they look like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*(cialis|viagra|levitra).*$
RewriteRule .* http://badsite.com [R,L]

Somewhere in there, they likely also have a rule that serves up different content when it thinks that Google-bot is coming to call.  I tried to trick it into doing that by switching the “User-Agent” of my browser to mimic Google-bot, but it didn’t work. (My guess: they’re combining “User-Agent” matching with some Google-ish IP address ranges, or something else entirely…)

So, what’s the moral of this tale about the two faces of a single site?  Beware, dear reader.  Just because your site looks normal to you, just because your site looks normal to the bulk of your visitors, you still may have been 0wned.   Constant vigilance is the only means of protecting your site, and your reputation.

Stand up tall: be aware and be vigilant. 

And if you’re having a little trouble standin’ tall, I know a library website you can visit.

Tom Liston - Handler - SANS Internet Storm Center
Senior Security Analyst - InGuardians, Inc.
Director, InGuardians Labs
Chairman, SANS Virtualization and Cloud Computing Summit
Twitter: @tliston
My honeypot tweets: @netmenaces