The Strange Case of Doctor Jekyll and Mr. ED
About a year ago, I wrote a diary here at the ISC called “Putting the ‘ED’ back in .EDU”.   Like most of the stuff I write, it caused a bit of a stir when it was published, because it pointed out that several .edu domains were riddled with compromised machines serving up link-fodder for peddlers of erectile dysfunction (ED) meds.  And, oh yeah… I named names.
All of this ruckus was caused by me using a little bit o’Google-fu, to see what big-G had to say, specifically, in response to searches like these: 
site:.edu buy viagra (link)
site:.gov buy cialis (link)
It’s a hobby: some people collect coins, some people knit… I look for compromised websites.  
Being the pessimist that I am, when I re-whipped out a couple of those ol’Google-dorkin’ chestnuts the other day, I was pretty sure that I would still find some new best friends to chat with about their “site security.” (Note: If you get an unexpected phone call from me, it’s rarely what you would call “good news.”)
I wasn’t disappointed.
While it’s been a bit over a year since I that piece was published (and three years since I originally pointed out the fun that a few choice Google searches could create) there was no shortage of joy to be found in this latest go ‘round.
However, amid my ironic chucking and the pitter-patter of emails being fired off to various “webmasters,” I happened upon something that caught my interest.
It started off innocently enough: the library website of a small educational institution had been 0wned.  I followed the link from my Google search to the library site and was quickly redirected to another page hawking enough sildenafil citrate to straighten up the Leaning Tower of Pisa.  Heheheh...
Being the all-around nice guy that I am, I hit up the main web page of the school trying to find some contact information.  While poking around, I noticed a link to the Library’s site right there on the front page.
“Hmm…,” I thought to myself, “you gotta wonder how long this site’s been 0wned without anyone noticing.”  And I clicked the link.
A funny thing happened.  The library page appeared.
Obviously, something odd was going on here. It was like a single website with two distinctly different, Jekyll and Hyde personalities...
 
 
(Somewhere, Robert Louis Stevenson is spinnin' in his grave like a top...)
Looking back and forth between my Google results and the school’s main page, I fairly quickly determined that the URL at least appeared to be the same.
Just to be sure, I clicked through the Google page again – and it took me right back to "pharma-R-us™" 
Then my wife called me for dinner.
Now I don’t know how things are where you live, but in my house, when you get called for dinner, you go.  Delay means a very quiet dinner with a side-dish of disapproving looks and no dessert.
One contented family meal later, and I returned to my desk, still intrigued.
Having closed out the browser before I left (look… when you regularly search using terms like “viagra,” “cialis,” and “levitra” you find yourself getting into the habit of closing your browser when you leave… trust me), I fired up a quick Google search based on the name of the school and the word “library.”  Boom, there was the same link with the same sample chunk o’text talking about the same virtues of “cheap pharma.”
So, I clicked on the link… and landed on the Library site.
At that point, I clearly and loudly “defined” the meaning of the acronym “WTF.”
Now I’m not always the quickest bunny in the forest (example: when I heard that Apple was patching flaws in iOS I immediately thought “That’s really nice of them.  I hope Cisco says ‘thanks.’”) so I sat there scratching my…  well, let’s say “head,”… and thinking.
After a few moment's thought, an idea struck me.
Ouch.
I fired up the “Tamper Data” extension for Firefox, kicked it into “tamper” mode, and clicked on the “home” link on the Library page.
When Tamper Data offered me the opportunity to tamper with the request, I gladly accepted.  I replaced the contents of the “Referer” (this is why we can’t have nice things… nerds can’t spell) field with:
http://google.com/search?q=cialis
fired off the request, and lo! I was in erectile dysfunction heaven.
(Note: it’s like normal heaven, but the robes fit funny…)
So… what’s going on here?
While I talked to the folks at the school’s library, I wasn’t able to get code from them.  However, armed with what I had learned from finding that site, I was able to find several others, and here’s what appears to be going on:
When the Ev1L H@x0rz compromise the site, their goal is pretty simple: they want to change the content of the site itself to increase their positioning on the search engines.  The whole idea would be ruined, however, if they gave away the fact that they'd 0wned the site. So the idea is to “use” the site… not “abuse” it.
Rather than mucking around with the code for the site itself, the bad guys target the .htaccess files.  For those of you unfamiliar with the workings of webservers, .htaccess files are used by the Apache webserver (and some others…) to provide a way to make configuration changes to the server itself, on a per-directory basis.  So, for instance, you can use an .htaccess file to change the way that the webserver treats specific types of files in a single directory only.
The bad guys also leverage another Apache “tool,” known as mod_rewrite. This tool provides a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.
So, while I never actually got my hands on an altered .htaccess file, I have a pretty good idea of what they look like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*(cialis|viagra|levitra).*$ 
RewriteRule .* http://badsite.com [R,L]
Somewhere in there, they likely also have a rule that serves up different content when it thinks that Google-bot is coming to call.  I tried to trick it into doing that by switching the “User-Agent” of my browser to mimic Google-bot, but it didn’t work. (My guess: they’re combining “User-Agent” matching with some Google-ish IP address ranges, or something else entirely…)
So, what’s the moral of this tale about the two faces of a single site?  Beware, dear reader.  Just because your site looks normal to you, just because your site looks normal to the bulk of your visitors, you still may have been 0wned.   Constant vigilance is the only means of protecting your site, and your reputation.
Stand up tall: be aware and be vigilant.  
And if you’re having a little trouble standin’ tall, I know a library website you can visit.
Tom Liston - Handler - SANS Internet Storm Center
Senior Security Analyst - InGuardians, Inc.
Director, InGuardians Labs
Chairman, SANS Virtualization and Cloud Computing Summit
Twitter: @tliston
My honeypot tweets: @netmenaces
 
              
Comments
What ever happened to SANS? I thought they had professionals working here. Maybe you can let the big kids write the blog articles from now on, k?
Noneroy
Aug 16th 2010
1 decade ago
Anyways, great post. I have come across quite a bit of this in the past especially in the SMB's. ISC also had a previous post in 2008 here http://isc.sans.edu/diary.html?storyid=5150
Thanks for the great post.
Bugbear
Aug 16th 2010
1 decade ago
I see nothing wrong with appropriate mixtures hilariousness and technical genius.
Heck I do it all the time and I think it helps the uptake of potentially dry material
Rock on Tom !
Steve
Aug 16th 2010
1 decade ago
I see nothing wrong with appropriate mixtures hilariousness and technical genius.
Heck I do it all the time and I think it helps the uptake of potentially dry material
Rock on Tom !
Steve
Aug 16th 2010
1 decade ago
Ryan Greenier
Aug 16th 2010
1 decade ago
Stephen Cameron
Aug 16th 2010
1 decade ago
Ken
Aug 16th 2010
1 decade ago
The SEO game being played with modrewrite is an interesting but subtle twist on a classic - but now they're applying it to the site owner. I first saw (and used) this specific tactic as a method of rickrolling, initially to target specific people, and then to try to rickroll specific keyword visitors from google/yahoo, waaaay back when RRing was invented. Modrewrite was the technique of choice, as there's no app/platform-specific quirks that php injection (et al) would entail - and it is trivial to roll out, screw up, and rescind, as broad or narrow a scope as you please.
"Who was the greatest exploiter ever, and what did they do to earn that title?"
"We don't know, and we don't know. They were *that* good."
Steven
Aug 16th 2010
1 decade ago
Tom
Aug 16th 2010
1 decade ago
Tom
Aug 16th 2010
1 decade ago