Cybercriminals are trying to find ways to increase the life cycle of injections in websites. Usually, when an attacker gains control of a site, the life span of the injected code to that site depends on how fast the website administrator notices malicious content added to their web pages.

One of the tactics that cybercriminals now employ to increase the life span of injected code is to install rogue modules on to compromised web servers. These modules hide themselves and the presence of an injection from system and website administrators, security researchers and criminal competitors.

Image 1: The red arrow below shows the difference between the life span of typical malicious injected code and code injected by a rogue Apache module:

A lot of blogs, articles, and forum discussions have appeared about so-called "underground" forums selling all sorts of hacking tools for "penetration testing." We are monitoring these forums and would like to share some information about web server rootkits. Recently, we've started seeing more tools on sale like web server rootkits for injecting and hiding malicious code in all websites hosted by web servers. In the past, these tools were sold only in closed communities and to a small set of people, but researchers, website administrators, and web server administrators have uncovered these tools and started to mentioned them in blogs and forums.

We have seen several forum discussions talking about malicious iframes magically appearing on different websites and constantly changing the injected URLs. Administrators of affected sites and servers have not been able to identify what the problem is.

Image 2: The following forum discusses how injected iframes are constantly appearing on different sites on a server:

According to underground forums, you can buy the "module Apache/2" for $1,000. Some features described by the seller include iframe injection in php/html/js files, allowing access only by unique IPs, and periodically renewing URLs, all of which add value if used in conjunction with an exploit kit. 

Apart from injecting iframes, such modules have a long life cycle, successfully staying in stealth mode and remaining undetected by administrators. Stealth functionality is achieved by collecting and recording IPs used by admins/roots to log into a server, going quiet when the user is logging from these IPs by not showing iFrames to non-unique users, and then going into quiet mode again when suspicious processes like tcpdump are detected. When the admin/root logs off, the module becomes active again.

The author of the rogue Apache module shows in the following statistics how successful this tool has been when used to install rogue AVs with different exploit kits.

Image 3: Stats from exploit kits showing successful exploits with the help of the web server Apache rogue module:

How does Websense protect customers from malicious code injected by rogue modules?

When an end user browses to a website injected with malicious code, we protect them with Websense ACE (Advanced Classification Engine). ACE technologies analyze websites in real time, guarding against any malicious iFrames that mysteriously appear on websites.

One of the conditions that the rogue Apache module allows is for injected code to appear on a website only if a user with a unique IP address accesses the website for the first time or uses specific referrers. The nature of the rogue Apache module allows injected content to appear or disappear dynamically based on different parameters as described, which makes it much more challenging for security solutions that don't employ real-time content analysis capabilities in their products. Websense real-time analysis parses and analyzes websites on the fly and checks for malicious content. When injected code is found, the website is blocked and customers are protected.

Image 4:  Website blocked by Websense real-time analytics:

There has been a lot of talk lately about Pinterest, the "virtual pinboard" that allows you to "organize and share all the beautiful things you find on the web."

Pinterest uses online social networking to extend the ways you can share your images. Its mission statement reads:  "Our goal is to connect everyone in the world through the 'things' they find interesting. We think that a favorite book, toy, or recipe can reveal a common link between two people. With millions of new pins added every week, Pinterest is connecting people all over the world based on shared tastes and interests."

How does it work?

Currently, the site is available by invitation only, but it’s quite easy to request an invitation either directly from the site or from a friend who’s already using it. Once you’re in, you create “pins”: images you want to post, including videos, along with any text captions you care to add. The “Pin It” button can be added to Firefox or your iPhone, allowing you to grab images anytime and anywhere.  It also adds a link to the source, automatically crediting the author and, presumably, avoiding copyright issues, which have sparked a lot of discussion.*

A collection of pins is called a “board,” which usually focuses on a theme or interest. By displaying images in a thematic board, Pinterest creates a visual collage which provides context and relationships for images in ways other social media sites do not.

It is precisely the social media elements that seem to be fueling Pinterest’s popularity.  Users can search pins, boards, or people. They can “like” other people’s pins, post comments, repin the images to their own boards, and even share them via Facebook and Twitter links, or via embedding in a blog or email. They can follow other users, see activity streams, and click through to the source of an image for more information, or to make a purchase. Collaboration with Flickr was just announced, which enables sharing in the user's Flickr account.

 Who uses it?

The number of unique visitors per month to Pinterest has jumped in just under one year from less than half a million to well over 18 million. Most (68.6%) are in the US, but all parts of the world are represented—and growing. Users tend to spend quite a bit of time on the site: more than 15 minutes per day, which is over 50% more than Twitter.

This explosion has created a huge buzz around the site, and at Websense we’ve learned that sites which attract lots of users also tend to attract lots of security concerns.

What could possibly go wrong?

Any site that attracts a lot of users and attention inevitably becomes a target for hackers and spammers. Spam and other types of objectionable content can be reported to Pinterest with the click of a button, which suggests the site relies on its users to spot problems and flag them for review. Malicious image files—where embedded malware is hidden in an image file—can be a particular threat on an image-based platform.

A while back we wrote a blog about inexpensive application toolkits on Facebook. This time around, it's Pinterest's turn.

Here are a few examples of  spamming toolkits that automatically generate massive amounts of traffic on a spammer's Pinterest account.  Tools may be purchased individually or in packages, and prices range from about $25 to almost $2000 depending on the number and functionality desired.

One tool creates automatic "likes" for pins, and sends an email to the pin creator saying you liked it, along with a link to your profile.

Another tool finds the most popular pins and re-submits them into the same board name and category on the spammer's account.

Websense researchers found many similar tools for sale, all of which generate unnatural traffic to the spammer's account in order to increase the popularity of a site or brand.  Of course, Pinterest may notice or be informed of the unusual traffic and block the account. A bigger risk is that spamming tools may actually contain viruses, malware, or other threats, making the would-be hacker into a hacking target. 

Pinterest was recently the target of injected JavaScript code (possibly created by such spamming tools) that changed many pins into ads. A recent Pinterest blog post about spam on the platform generated a fair number of user responses about fake followers and spam (comments are now closed). And the site is reportedly using CAPTCHA, at least on some accounts, to ensure that users are human beings.

Regardless of how Pinterest evolves, you can be sure that Websense will stay on top of any security risks, helping you use social media safely.