When web sites go bad: bible . org compromise

Published: 2013-02-22
Last Updated: 2013-02-22 16:17:28 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

NOTE: The site is STILL compromissed right now. DO NOT VISIT.

This is more of an "awareness" item to show to coworkers and relatives that you can't be careful enough. "bible . org" is a site that offers as the name implies access to the bible and related commentary as well as translations. Sadly, earlier this week the site go appearantly compromissed. The owner was notified, but didn't have the means or skills to clean the site so far. 

Like in so many cases, the exploit inserts javascript at the very top of the page. Likely this may have happened via a compromised configuration file. But right now, we don't know. The malicious content is only shown to some browsers based on the user agent string. So a plain wget or curl won't get you the malware. You need to specify the user agent string (for wget, setup a .wgetrc file to do this automatically, or use the -U switch).

The exploit inserts an iframe with changing URL following the pattern http://[random string].ddns.name/b6noxa1/counter.php?fid=2 (the domains I saw have been reported to changeip.com ). 

The wepawet analysis [1] shows that at least one Adobe PDF vulnerability is being exploited, luckily an older one (CVE-2010-0188), but there is an additional PDF that webawet didn't analyse. It can be tricky to retrieve all components of these exploit kits from a non-vulnerable or simulated browser.

[1] http://wepawet.iseclab.org/view.php?hash=ae81a29e04bd93994c1f92411e58975a&t=1361545134&type=js

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)

Comments

Looks like it must be fixed now.
bible.org all negative results:
https://www.virustotal.com/en/url/67c895cb6861a5f1c340ed72a5a87ab253f0eb5758a154cb998bfd80a7bece65/analysis/1361666228/
http://urlquery.net/report.php?id=1090906
http://wepawet.iseclab.org/view.php?hash=043f7460996ea401c862f0ae68475623&t=1361666897&type=js

HTML source on Pastebin as of 7pm CST 2/23 on IE10 Win7: http://pastebin.com/qEGSpuhU

I see nothing referencing counter, ddns, and only normal JS mentions of .name (not associated with a TLD)

Diary Archives